--- /dev/null
+From 09eae9d970b7d200afa9b50d428f039dbd8dc07c Mon Sep 17 00:00:00 2001
+From: Bruno Haible <bruno@clisp.org>
+Date: Sun, 23 Sep 2018 14:13:52 +0200
+Subject: [PATCH 1/2] [CVE-2018-17942] vasnprintf: Fix heap memory overrun bug.
+
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+
+Change-Id: Id0c55f547fef88da6848754e84568c09e800203f
+Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
+---
+ lib/vasnprintf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 71f8d80..dfe7bdc 100644
+--- a/lib/vasnprintf.c
++++ b/lib/vasnprintf.c
+@@ -850,7 +850,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+ size_t a_len = a.nlimbs;
+ /* 0.03345 is slightly larger than log(2)/(9*log(10)). */
+ size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++ digits of a, followed by 1 byte for the terminating NUL. */
++ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+ if (c_ptr != NULL)
+ {
+ char *d_ptr = c_ptr;
+--
+2.25.1
+
--- /dev/null
+From fad4795ead98f151bcf3134305ea7d1ede1bba1f Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Sat, 19 Sep 2015 13:53:34 -0700
+Subject: [PATCH 2/2] [CVE-2009-5155] Diagnose ERE '()|\1'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem reported by Hanno Böck in: http://bugs.gnu.org/21513
+* lib/regcomp.c (parse_reg_exp): While parsing alternatives, keep
+track of the set of previously-completed subexpressions available
+before the first alternative, and restore this set just before
+parsing each subsequent alternative. This lets us diagnose the
+invalid back-reference in the ERE '()|\1'.
+
+Change-Id: I33d1ba3c5c4e3460b81cda46eac2a4eac625b8c3
+Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
+---
+ lib/regcomp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/regcomp.c b/lib/regcomp.c
+index 747fa40..10770d3 100644
+--- a/lib/regcomp.c
++++ b/lib/regcomp.c
+@@ -2142,6 +2142,7 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
+ {
+ re_dfa_t *dfa = (re_dfa_t *) preg->buffer;
+ bin_tree_t *tree, *branch = NULL;
++ bitset_word_t initial_bkref_map = dfa->completed_bkref_map;
+ tree = parse_branch (regexp, preg, token, syntax, nest, err);
+ if (BE (*err != REG_NOERROR && tree == NULL, 0))
+ return NULL;
+@@ -2152,9 +2153,16 @@ parse_reg_exp (re_string_t *regexp, regex_t *preg, re_token_t *token,
+ if (token->type != OP_ALT && token->type != END_OF_RE
+ && (nest == 0 || token->type != OP_CLOSE_SUBEXP))
+ {
++ bitset_word_t accumulated_bkref_map = dfa->completed_bkref_map;
++ dfa->completed_bkref_map = initial_bkref_map;
+ branch = parse_branch (regexp, preg, token, syntax, nest, err);
+ if (BE (*err != REG_NOERROR && branch == NULL, 0))
+- return NULL;
++ {
++ if (tree != NULL)
++ postorder (tree, free_tree, NULL);
++ return NULL;
++ }
++ dfa->completed_bkref_map |= accumulated_bkref_map;
+ }
+ else
+ branch = NULL;
+--
+2.25.1
+
Url: https://ftp.gnu.org/gnu/wdiff/
Group: Productivity/Text/Utilities
Source: %{name}-%{version}.tar.bz2
+Source2: 0001-CVE-2018-17942-vasnprintf-Fix-heap-memory-overrun-bu.patch
+Source3: 0002-CVE-2009-5155-Diagnose-ERE-1.patch
Source1001: wdiff.manifest
BuildRequires: ncurses-devel
%prep
%setup -q
cp %{SOURCE1001} .
+%{__patch} -p1 < %{SOURCE2}
+%{__patch} -p1 < %{SOURCE3}
%build
LIBS=-lncurses \