From 180342ac60b2083fa2ba4d4ec88680248ec4d6dd Mon Sep 17 00:00:00 2001
From: DongHun Kwak <dh0128.kwak@samsung.com>
Date: Mon, 16 May 2022 16:02:42 +0900
Subject: [PATCH] [CVE-2018-17942] vasnprintf: Fix heap memory overrun bug.

Reported by Ben Pfaff <blp@cs.stanford.edu> in
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.

* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
memory.
* tests/test-vasnprintf.c (test_function): Add another test.

Change-Id: I107d30510c01c28390f6a61c4034ea5fe4d20d80
---
 packaging/CVE-2018-17942.patch | 34 ++++++++++++++++++++++++++++++++++
 packaging/patch.spec           |  2 ++
 2 files changed, 36 insertions(+)
 create mode 100644 packaging/CVE-2018-17942.patch

diff --git a/packaging/CVE-2018-17942.patch b/packaging/CVE-2018-17942.patch
new file mode 100644
index 0000000..0efe08e
--- /dev/null
+++ b/packaging/CVE-2018-17942.patch
@@ -0,0 +1,34 @@
+From 861e8512d47e5aff3c836bd7720dc3506a220a99 Mon Sep 17 00:00:00 2001
+From: Bruno Haible <bruno@clisp.org>
+Date: Sun, 23 Sep 2018 14:13:52 +0200
+Subject: [PATCH] [CVE-2018-17942] vasnprintf: Fix heap memory overrun bug.
+
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+* tests/test-vasnprintf.c (test_function): Add another test.
+
+---
+ lib/vasnprintf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 8b91e3f..c1c1fa5 100644
+--- a/lib/vasnprintf.c
++++ b/lib/vasnprintf.c
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
+-- 
+2.25.1
+
diff --git a/packaging/patch.spec b/packaging/patch.spec
index b3807b0..c881e97 100644
--- a/packaging/patch.spec
+++ b/packaging/patch.spec
@@ -7,6 +7,7 @@ Url:            http://www.gnu.org/software/patch/patch.html
 Group:          Development/Tools
 Source0:        ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Source11:       CVE-2018-6951.patch
+Source12:       CVE-2018-17942.patch
 Source1001:     patch.manifest
 
 %description
@@ -22,6 +23,7 @@ applications.
 %prep
 %setup -q
 %{__patch} -p1 < %{SOURCE11}
+%{__patch} -p1 < %{SOURCE12}
 
 %build
 cp %{SOURCE1001} .
-- 
2.34.1