include a patch for CVE-2016-9840 (RHBZ#2366435)

2025-05-15 20:13:46 +02:00 · 2025-05-15 20:13:46 +02:00 · 03e72d27f1
commit 03e72d27f1
parent a7313995fb
2 changed files with 73 additions and 0 deletions
--- a/remove-ub-in-zlib.patch
+++ b/remove-ub-in-zlib.patch
@ -0,0 +1,71 @@
+From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 21 Sep 2016 23:35:50 -0700
+Subject: [PATCH] Remove offset pointer optimization in inftrees.c.
+
+inftrees.c was subtracting an offset from a pointer to an array,
+in order to provide a pointer that allowed indexing starting at
+the offset. This is not compliant with the C standard, for which
+the behavior of a pointer decremented before its allocated memory
+is undefined. Per the recommendation of a security audit of the
+zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this tiny optimization was removed, in order
+to avoid the possibility of undefined behavior.
+---
+ inftrees.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd6666..0d2670d57 100644
+--- a/inftrees.c
+++ b/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+     code FAR *next;             /* next available space in table */
+     const unsigned short FAR *base;     /* base value table to use */
+     const unsigned short FAR *extra;    /* extra bits table to use */
+-    int end;                    /* use base and extra for symbol > end */
+    unsigned match;             /* use base and extra for symbol >= match */
+     unsigned short count[MAXBITS+1];    /* number of codes of each length */
+     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+     switch (type) {
+     case CODES:
+         base = extra = work;    /* dummy value--not used */
+-        end = 19;
+        match = 20;
+         break;
+     case LENS:
+         base = lbase;
+-        base -= 257;
+         extra = lext;
+-        extra -= 257;
+-        end = 256;
+        match = 257;
+         break;
+     default:            /* DISTS */
+         base = dbase;
+         extra = dext;
+-        end = -1;
+        match = 0;
+     }
+ 
+     /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+     for (;;) {
+         /* create table entry */
+         this.bits = (unsigned char)(len - drop);
+-        if ((int)(work[sym]) < end) {
+        if (work[sym] + 1 < match) {
+             this.op = (unsigned char)0;
+             this.val = work[sym];
+         }
+-        else if ((int)(work[sym]) > end) {
+-            this.op = (unsigned char)(extra[work[sym]]);
+-            this.val = base[work[sym]];
+        else if (work[sym] >= match) {
+            this.op = (unsigned char)(extra[work[sym] - match]);
+            this.val = base[work[sym] - match];
+         }
+         else {
+             this.op = (unsigned char)(32 + 64);         /* end of block */
--- a/zsync.spec
+++ b/zsync.spec
@ -12,6 +12,8 @@ Source0:       http://zsync.moria.org.uk/download/%{name}-%{version}.tar.bz2

 # https://sources.debian.org/data/main/z/zsync/0.6.2-7/debian/patches/fix-build-with-gcc-14.patch
 Patch1:        fix-build-with-gcc-14.patch
+# https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 (modif'd to apply)
+Patch2:        remove-ub-in-zlib.patch

 BuildRequires: gcc
 BuildRequires: make