[Backport] Security bug 1184294

Manual backport (subdirectory update) of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2803936:
Roll xdg-mime to 722325fba8968a26eb243642cbe89a044d6dfd6c.

$ git log 2cdd8d36d..722325fba --date=short --no-merges --format='%ad %ae %s'
2021-03-18 kdudka@redhat.com Fix fd leak in error path
2021-01-06 hadess@hadess.net ci: Add CI
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimecache.c
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimecache.c:__gio_xdg_cache_list_mime_parents()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:__gio_xdg_cache_mime_type_subclass()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:cache_glob_node_lookup_suffix()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in rc/xdgmimecache.c:cache_glob_lookup_fnmatch()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:cache_magic_compare_to_data()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimecache.c:cache_magic_matchlet_compare()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimecache.c:cache_magic_matchlet_compare_to_data()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimemagic.c:_xdg_mime_magic_matchlet_compare_to_data()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warnings in src/xdgmimemagic.c:_xdg_mime_magic_parse_magic_line()
2020-11-21 emmanuel.fleury@u-bordeaux.fr Fix signedness warning in src/xdgmimeint.c
2020-12-27 faure@kde.org Fix fallback after multiple matching globs
2020-12-27 faure@kde.org Fix usage information for print-mime-data
2019-06-03 withnall@endlessm.com xdgmime: Don’t set an out argument if it’s NULL
2018-11-19 ville.skytta@iki.fi Comment grammar fix
2018-07-16 mcatanzaro@igalia.com Fix buffer underflow in __gio_xdg_cache_mime_type_subclass()
2018-07-16 mcatanzaro@igalia.com Fix special case for mime_type_subclass
2018-07-16 mcatanzaro@igalia.com Handle EINTR in open()
2018-07-16 mcatanzaro@igalia.com Don't forget to free resources on an early return
2018-07-16 mcatanzaro@igalia.com Fix void pointer arithmetic in cache_magic_matchlet_compare_to_data()
2018-07-16 mcatanzaro@igalia.com Fix use after free in xdg_mime_get_mime_type_for_file
2018-07-16 mcatanzaro@igalia.com Add space before paren in _xdg_mime_cache_get_mime_type_for_file
2018-06-30 mcatanzaro@igalia.com build: Add a .gitignore
2018-06-17 ville.skytta@iki.fi Spelling fixes
2017-09-05 hadess@hadess.net Check further into the file whether it is text or binary
2013-01-07 hadess@hadess.net tests: Fix current test-mime failures
2013-01-07 hadess@hadess.net tests: Make test-mime failures fatal
2013-01-07 hadess@hadess.net tests: Mime-types are not case-sensitive
2012-09-27 hadess@hadess.net Ignore non-regular files in print-mime-data
2012-09-25 hadess@hadess.net Add print-mime-data program

Fixed: 1184294
Change-Id: I74717bb13d49088b18bd88404c7cf7b8032a7d99
Reviewed-by: Adrian Taylor <adetaylor@chromium.org>
Reviewed-by: Thomas Anderson <thomasanderson@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#871055}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

7 files changed, 96 insertions, 79 deletions

diff --git a/chromium/base/third_party/xdg_mime/README b/chromium/base/third_party/xdg_mime/README
index e7f3f6859d3..9181a381c69 100644
--- a/chromium/base/third_party/xdg_mime/README
+++ b/chromium/base/third_party/xdg_mime/README
@@ -1,5 +1,5 @@
 This module is a simple module that parses the proposed MIME spec listed
-at http://freedesktop.org/.  It is currently targetted at version 0.12.
+at http://freedesktop.org/.  It is currently targeted at version 0.12.
 There are no formal releases planned for this module, and it is not
 intended to be installed at this time.  Rather, it is meant to be used
 by other libraries or applications to add support for the MIME system.
diff --git a/chromium/base/third_party/xdg_mime/README.chromium b/chromium/base/third_party/xdg_mime/README.chromium
index 8212752095f..db13e2e9e64 100644
--- a/chromium/base/third_party/xdg_mime/README.chromium
+++ b/chromium/base/third_party/xdg_mime/README.chromium
@@ -1,14 +1,12 @@
 Name: xdg-mime
-URL: http://freedesktop.org
+URL: https://gitlab.freedesktop.org/xdg/xdgmime
+Version: 722325fba8968a26eb243642cbe89a044d6dfd6c
+CPEPrefix: unknown
 License: Academic Free License version 2.0 or LGPL v2
+Security critical: yes
 
-The code in this directory is synced from:
-git://anongit.freedesktop.org/xdg/xdgmime
-@ 2cdd8d36d7930d5a594587286cb1949ff62f7027 on 2012/08/06.
+Run //base/third_party/xdg_mime/roll.py to update this dependency.
 
-In addition, we have the following patch(es):
-  - compile.patch: small tweaks to make the code compile.
-  - free_pointer_later.patch: small patch that fixes potential crash in
-      xdg_mime_get_mime_type_for_file() - use of pointer after being freed.
-  - function_casts.patch: fix bad function casts.
-  - Added a LICENSE file.
+Patches:
+- 000-have-mmap.patch: enable code guarded with HAVE_MMAP since
+  Chrome does not run autoconf.
diff --git a/chromium/base/third_party/xdg_mime/xdgmime.c b/chromium/base/third_party/xdg_mime/xdgmime.c
index f340fcefabb..d178e06b05b 100644
--- a/chromium/base/third_party/xdg_mime/xdgmime.c
+++ b/chromium/base/third_party/xdg_mime/xdgmime.c
@@ -136,7 +136,7 @@ xdg_dir_time_list_free (XdgDirTimeList *list)
 }
 
 static int
-xdg_mime_init_from_directory (const char *directory, void *user_data)
+xdg_mime_init_from_directory (const char *directory)
 {
   char *file_name;
   struct stat st;
@@ -340,9 +340,8 @@ xdg_check_file (const char *file_path,
 
 static int
 xdg_check_dir (const char *directory,
-	       void       *user_data)
+	       int        *invalid_dir_list)
 {
-  int *invalid_dir_list = user_data;
   int invalid, exists;
   char *file_name;
 
@@ -399,7 +398,8 @@ xdg_check_dirs (void)
   for (list = dir_time_list; list; list = list->next)
     list->checked = XDG_CHECKED_UNCHECKED;
 
-  xdg_run_command_on_dirs (xdg_check_dir, &invalid_dir_list);
+  xdg_run_command_on_dirs ((XdgDirectoryFunc) xdg_check_dir,
+			   &invalid_dir_list);
 
   if (invalid_dir_list)
     return TRUE;
@@ -455,7 +455,8 @@ xdg_mime_init (void)
       icon_list = _xdg_mime_icon_list_new ();
       generic_icon_list = _xdg_mime_icon_list_new ();
 
-      xdg_run_command_on_dirs (xdg_mime_init_from_directory, NULL);
+      xdg_run_command_on_dirs ((XdgDirectoryFunc) xdg_mime_init_from_directory,
+			       NULL);
 
       need_reread = FALSE;
     }
@@ -470,7 +471,8 @@ xdg_mime_get_mime_type_for_data (const void *data,
 
   if (len == 0)
     {
-      *result_prio = 100;
+      if (result_prio != NULL)
+        *result_prio = 100;
       return XDG_MIME_TYPE_EMPTY;
     }
 
@@ -557,12 +559,12 @@ xdg_mime_get_mime_type_for_file (const char  *file_name,
   mime_type = _xdg_mime_magic_lookup_data (global_magic, data, bytes_read, NULL,
 					   mime_types, n);
 
-  fclose (file);
-
   if (!mime_type)
-    mime_type = _xdg_binary_or_text_fallback(data, bytes_read);
+    mime_type = _xdg_binary_or_text_fallback (data, bytes_read);
 
   free (data);
+  fclose (file);
+
   return mime_type;
 }
 
@@ -740,19 +742,28 @@ xdg_mime_media_type_equal (const char *mime_a,
 
 #if 1
 static int
-xdg_mime_is_super_type (const char *mime)
+ends_with (const char *str,
+           const char *suffix)
 {
   int length;
-  const char *type;
+  int suffix_length;
 
-  length = strlen (mime);
-  type = &(mime[length - 2]);
+  length = strlen (str);
+  suffix_length = strlen (suffix);
+  if (length < suffix_length)
+    return 0;
 
-  if (strcmp (type, "/*") == 0)
+  if (strcmp (str + length - suffix_length, suffix) == 0)
     return 1;
 
   return 0;
 }
+
+static int
+xdg_mime_is_super_type (const char *mime)
+{
+  return ends_with (mime, "/*");
+}
 #endif
 
 int
@@ -783,7 +794,8 @@ _xdg_mime_mime_type_subclass (const char *mime,
       strncmp (umime, "text/", 5) == 0)
     return 1;
 
-  if (strcmp (ubase, "application/octet-stream") == 0)
+  if (strcmp (ubase, "application/octet-stream") == 0 &&
+      strncmp (umime, "inode/", 6) != 0)
     return 1;
   
   parents = _xdg_mime_parent_list_lookup (parent_list, umime);
diff --git a/chromium/base/third_party/xdg_mime/xdgmimecache.c b/chromium/base/third_party/xdg_mime/xdgmimecache.c
index ddb875462a2..ccf29752778 100644
--- a/chromium/base/third_party/xdg_mime/xdgmimecache.c
+++ b/chromium/base/third_party/xdg_mime/xdgmimecache.c
@@ -34,6 +34,7 @@
 
 #include <fcntl.h>
 #include <unistd.h>
+#include <errno.h>
 #include <fnmatch.h>
 #include <assert.h>
 
@@ -122,7 +123,9 @@ _xdg_mime_cache_new_from_file (const char *file_name)
   int minor;
 
   /* Open the file and map it into memory */
-  fd = open (file_name, O_RDONLY|_O_BINARY, 0);
+  do {
+    fd = open (file_name, O_RDONLY|_O_BINARY, 0);
+  } while (fd == -1 && errno == EINTR);
 
   if (fd < 0)
     return NULL;
@@ -173,7 +176,7 @@ cache_magic_matchlet_compare_to_data (XdgMimeCache *cache,
   xdg_uint32_t data_offset = GET_UINT32 (cache->buffer, offset + 16);
   xdg_uint32_t mask_offset = GET_UINT32 (cache->buffer, offset + 20);
   
-  int i, j;
+  xdg_uint32_t i, j;
 
   for (i = range_start; i < range_start + range_length; i++)
     {
@@ -196,7 +199,7 @@ cache_magic_matchlet_compare_to_data (XdgMimeCache *cache,
 	}
       else
 	{
-	  valid_matchlet = memcmp(cache->buffer + data_offset, data + i, data_length) == 0;
+	  valid_matchlet = memcmp(cache->buffer + data_offset, (unsigned char *)data + i, data_length) == 0;
 	}
 
       if (valid_matchlet)
@@ -215,7 +218,7 @@ cache_magic_matchlet_compare (XdgMimeCache *cache,
   xdg_uint32_t n_children = GET_UINT32 (cache->buffer, offset + 24);
   xdg_uint32_t child_offset = GET_UINT32 (cache->buffer, offset + 28);
 
-  int i;
+  xdg_uint32_t i;
   
   if (cache_magic_matchlet_compare_to_data (cache, offset, data, len))
     {
@@ -245,7 +248,7 @@ cache_magic_compare_to_data (XdgMimeCache *cache,
   xdg_uint32_t n_matchlets = GET_UINT32 (cache->buffer, offset + 8);
   xdg_uint32_t matchlet_offset = GET_UINT32 (cache->buffer, offset + 12);
 
-  int i;
+  xdg_uint32_t i;
 
   for (i = 0; i < n_matchlets; i++)
     {
@@ -265,15 +268,13 @@ static const char *
 cache_magic_lookup_data (XdgMimeCache *cache, 
 			 const void   *data, 
 			 size_t        len, 
-			 int          *prio,
-			 const char   *mime_types[],
-			 int           n_mime_types)
+			 int          *prio)
 {
   xdg_uint32_t list_offset;
   xdg_uint32_t n_entries;
   xdg_uint32_t offset;
 
-  int j, n;
+  xdg_uint32_t j;
 
   *prio = 0;
 
@@ -289,21 +290,6 @@ cache_magic_lookup_data (XdgMimeCache *cache,
 					   data, len, prio);
       if (match)
 	return match;
-      else
-	{
-	  xdg_uint32_t mimetype_offset;
-	  const char *non_match;
-	  
-	  mimetype_offset = GET_UINT32 (cache->buffer, offset + 16 * j + 4);
-	  non_match = cache->buffer + mimetype_offset;
-
-	  for (n = 0; n < n_mime_types; n++)
-	    {
-	      if (mime_types[n] && 
-		  _xdg_mime_mime_type_equal (mime_types[n], non_match))
-		mime_types[n] = NULL;
-	    }
-	}
     }
 
   return NULL;
@@ -412,7 +398,8 @@ cache_glob_lookup_fnmatch (const char *file_name,
   const char *mime_type;
   const char *ptr;
 
-  int i, j, n;
+  int i, n;
+  xdg_uint32_t j;
 
   n = 0;
   for (i = 0; _caches[i]; i++)
@@ -468,7 +455,8 @@ cache_glob_node_lookup_suffix (XdgMimeCache  *cache,
   int weight;
   int case_sensitive;
 
-  int min, max, mid, n, i;
+  xdg_uint32_t i;
+  int min, max, mid, n;
 
   character = file_name[len - 1];
 
@@ -677,8 +665,7 @@ cache_get_mime_type_for_data (const void *data,
       int prio;
       const char *match;
 
-      match = cache_magic_lookup_data (cache, data, len, &prio, 
-				       mime_types, n_mime_types);
+      match = cache_magic_lookup_data (cache, data, len, &prio);
       if (prio > priority)
 	{
 	  priority = prio;
@@ -697,9 +684,11 @@ cache_get_mime_type_for_data (const void *data,
           if (mime_types[n] && _xdg_mime_cache_mime_type_subclass(mime_types[n], mime_type))
               return mime_types[n];
         }
-
-      /* Return magic match */
-      return mime_type;
+      if (n == 0)
+        {
+          /* No globs: return magic match */
+          return mime_type;
+        }
     }
 
   /* Pick first glob result, as fallback */
@@ -787,7 +776,7 @@ _xdg_mime_cache_get_mime_type_for_file (const char  *file_name,
 					    mime_types, n);
 
   if (!mime_type)
-    mime_type = _xdg_binary_or_text_fallback(data, bytes_read);
+    mime_type = _xdg_binary_or_text_fallback (data, bytes_read);
 
   free (data);
   fclose (file);
@@ -816,19 +805,28 @@ _xdg_mime_cache_get_mime_types_from_file_name (const char *file_name,
 
 #if 1
 static int
-is_super_type (const char *mime)
+ends_with (const char *str,
+           const char *suffix)
 {
   int length;
-  const char *type;
+  int suffix_length;
 
-  length = strlen (mime);
-  type = &(mime[length - 2]);
+  length = strlen (str);
+  suffix_length = strlen (suffix);
+  if (length < suffix_length)
+    return 0;
 
-  if (strcmp (type, "/*") == 0)
+  if (strcmp (str + length - suffix_length, suffix) == 0)
     return 1;
 
   return 0;
 }
+
+static int
+is_super_type (const char *mime)
+{
+  return ends_with (mime, "/*");
+}
 #endif
 
 int
@@ -837,7 +835,8 @@ _xdg_mime_cache_mime_type_subclass (const char *mime,
 {
   const char *umime, *ubase;
 
-  int i, j, min, max, med, cmp;
+  xdg_uint32_t j;
+  int i, min, max, med, cmp;
   
   umime = _xdg_mime_cache_unalias_mime_type (mime);
   ubase = _xdg_mime_cache_unalias_mime_type (base);
@@ -860,7 +859,8 @@ _xdg_mime_cache_mime_type_subclass (const char *mime,
       strncmp (umime, "text/", 5) == 0)
     return 1;
 
-  if (strcmp (ubase, "application/octet-stream") == 0)
+  if (strcmp (ubase, "application/octet-stream") == 0 &&
+      strncmp (umime, "inode/", 6) != 0)
     return 1;
  
   for (i = 0; _caches[i]; i++)
@@ -919,7 +919,8 @@ _xdg_mime_cache_unalias_mime_type (const char *mime)
 char **
 _xdg_mime_cache_list_mime_parents (const char *mime)
 {
-  int i, j, k, l, p;
+  int i, l, p;
+  xdg_uint32_t j, k;
   char *all_parents[128]; /* we'll stop at 128 */ 
   char **result;
 
@@ -1031,6 +1032,7 @@ dump_glob_node (XdgMimeCache *cache,
   xdg_uint32_t mime_offset;
   xdg_uint32_t n_children;
   xdg_uint32_t child_offset;
+  xdg_uint32_t k;
   int i;
 
   character = GET_UINT32 (cache->buffer, offset);
@@ -1045,15 +1047,15 @@ dump_glob_node (XdgMimeCache *cache,
   printf ("\n");
   if (child_offset)
   {
-    for (i = 0; i < n_children; i++)
-      dump_glob_node (cache, child_offset + 20 * i, depth + 1);
+    for (k = 0; k < n_children; k++)
+      dump_glob_node (cache, child_offset + 20 * k, depth + 1);
   }
 }
 
 void
 _xdg_mime_cache_glob_dump (void)
 {
-  int i, j;
+  xdg_uint32_t i, j;
   for (i = 0; _caches[i]; i++)
   {
     XdgMimeCache *cache = _caches[i];
@@ -1067,3 +1069,5 @@ _xdg_mime_cache_glob_dump (void)
 	    dump_glob_node (cache, offset + 20 * j, 0);
   }
 }
+
+
diff --git a/chromium/base/third_party/xdg_mime/xdgmimeglob.c b/chromium/base/third_party/xdg_mime/xdgmimeglob.c
index f8434bcc560..5071418cc4a 100644
--- a/chromium/base/third_party/xdg_mime/xdgmimeglob.c
+++ b/chromium/base/third_party/xdg_mime/xdgmimeglob.c
@@ -86,7 +86,7 @@ _xdg_glob_list_new (void)
   return new_element;
 }
 
-/* Frees glob_list and all of it's children */
+/* Frees glob_list and all of its children */
 static void
 _xdg_glob_list_free (XdgGlobList *glob_list)
 {
diff --git a/chromium/base/third_party/xdg_mime/xdgmimeint.c b/chromium/base/third_party/xdg_mime/xdgmimeint.c
index cf789d9fea1..5eaa7154e2c 100644
--- a/chromium/base/third_party/xdg_mime/xdgmimeint.c
+++ b/chromium/base/third_party/xdg_mime/xdgmimeint.c
@@ -193,10 +193,10 @@ const char *
 _xdg_binary_or_text_fallback(const void *data, size_t len)
 {
   unsigned char *chardata;
-  int i;
+  size_t i;
 
   chardata = (unsigned char *) data;
-  for (i = 0; i < 32 && i < len; ++i)
+  for (i = 0; i < 128 && i < len; ++i)
     {
        if (chardata[i] < 32 && chardata[i] != 9 && chardata[i] != 10 && chardata[i] != 13)
          return XDG_MIME_TYPE_UNKNOWN; /* binary data */
diff --git a/chromium/base/third_party/xdg_mime/xdgmimemagic.c b/chromium/base/third_party/xdg_mime/xdgmimemagic.c
index a2320f58491..fd49fa8e682 100644
--- a/chromium/base/third_party/xdg_mime/xdgmimemagic.c
+++ b/chromium/base/third_party/xdg_mime/xdgmimemagic.c
@@ -272,7 +272,10 @@ _xdg_mime_magic_parse_header (FILE *magic_file, XdgMimeMagicMatch *match)
 
   buffer = (char *)_xdg_mime_magic_read_to_newline (magic_file, &end_of_file);
   if (end_of_file)
-    return XDG_MIME_MAGIC_EOF;
+    {
+      free (buffer);
+      return XDG_MIME_MAGIC_EOF;
+    }
 
   end_ptr = buffer;
   while (*end_ptr != ']' && *end_ptr != '\000' && *end_ptr != '\n')
@@ -317,7 +320,7 @@ _xdg_mime_magic_parse_magic_line (FILE              *magic_file,
   int c;
   int end_of_file;
   int indent = 0;
-  int bytes_read;
+  size_t bytes_read;
 
   assert (magic_file != NULL);
 
@@ -404,7 +407,7 @@ _xdg_mime_magic_parse_magic_line (FILE              *magic_file,
       return XDG_MIME_MAGIC_ERROR;
     }
   bytes_read = fread (matchlet->value, 1, matchlet->value_length, magic_file);
-  if (bytes_read != matchlet->value_length)
+  if (bytes_read != (size_t) matchlet->value_length)
     {
       _xdg_mime_magic_matchlet_free (matchlet);
       if (feof (magic_file))
@@ -424,7 +427,7 @@ _xdg_mime_magic_parse_magic_line (FILE              *magic_file,
 	  return XDG_MIME_MAGIC_ERROR;
 	}
       bytes_read = fread (matchlet->mask, 1, matchlet->value_length, magic_file);
-      if (bytes_read != matchlet->value_length)
+      if (bytes_read != (size_t) matchlet->value_length)
 	{
 	  _xdg_mime_magic_matchlet_free (matchlet);
 	  if (feof (magic_file))
@@ -462,7 +465,7 @@ _xdg_mime_magic_parse_magic_line (FILE              *magic_file,
 	  _xdg_mime_magic_matchlet_free (matchlet);
 	  return XDG_MIME_MAGIC_EOF;
 	}
-      if (matchlet->range_length == -1)
+      if (matchlet->range_length == (unsigned int) -1)
 	{
 	  _xdg_mime_magic_matchlet_free (matchlet);
 	  return XDG_MIME_MAGIC_ERROR;
@@ -476,7 +479,7 @@ _xdg_mime_magic_parse_magic_line (FILE              *magic_file,
       /* We clean up the matchlet, byte swapping if needed */
       if (matchlet->word_size > 1)
 	{
-	  int i;
+	  unsigned int i;
 	  if (matchlet->value_length % matchlet->word_size != 0)
 	    {
 	      _xdg_mime_magic_matchlet_free (matchlet);
@@ -521,7 +524,7 @@ _xdg_mime_magic_matchlet_compare_to_data (XdgMimeMagicMatchlet *matchlet,
 					  const void           *data,
 					  size_t                len)
 {
-  int i, j;
+  unsigned int i, j;
   for (i = matchlet->offset; i < matchlet->offset + matchlet->range_length; i++)
     {
       int valid_matchlet = TRUE;