SOURCES/Fix-a-memory-leak-on-invalid-input.patch

@@ -0,0 +1,31 @@
+From 47af5b2365a306532d1e0b786f0d7f9754f914cd Mon Sep 17 00:00:00 2001
+From: Peter Pentchev <roam@debian.org>
+Date: Mon, 1 Jun 2020 10:25:34 +0300
+Subject: [PATCH] Fix a memory leak on invalid input.
+
+---
+ src/drpm_decompstrm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/drpm_decompstrm.c b/src/drpm_decompstrm.c
+index d885dcf..ec3115e 100644
+--- a/src/drpm_decompstrm.c
++++ b/src/drpm_decompstrm.c
+@@ -746,14 +746,14 @@ int readchunk_zstd(struct decompstrm *strm)
+             return DRPM_ERR_IO;
+     }
+ 
++    if (in_len == 0)
++        return DRPM_ERR_FORMAT;
++
+     size_t const buffOutSize = ZSTD_DStreamOutSize();
+     void* const buffOut = malloc(buffOutSize);
+     if (buffOut == NULL)
+         return DRPM_ERR_MEMORY;
+ 
+-    if (in_len == 0)
+-        return DRPM_ERR_FORMAT;
+-
+     ZSTD_inBuffer input = { in_buffer, in_len, 0 };
+ 
+     while (input.pos < input.size) {

SPECS/drpm.spec

@@ -7,7 +7,7 @@
 
 Name:           drpm
 Version:        0.4.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A library for making, reading and applying deltarpm packages
 # the entire source code is LGPLv2+, except src/drpm_diff.c and src/drpm_search.c which are BSD
 License:        LGPLv2+ and BSD
@@ -17,6 +17,7 @@ Source:         %{url}/releases/download/%{version}/%{name}-%{version}.tar.bz2
 # add workaround for gcc7 on ppc64le temporary before it's fixed in gcc
 # https://bugzilla.redhat.com/show_bug.cgi?id=1420350
 Patch1:         drpm-0.3.0-workaround-ppc64le-gcc.patch
+Patch2:         Fix-a-memory-leak-on-invalid-input.patch
 
 BuildRequires:  cmake >= 2.8.5
 BuildRequires:  gcc
@@ -85,6 +86,9 @@ popd
 %{_libdir}/pkgconfig/drpm.pc
 
 %changelog
+* Tue Aug 11 2020 Nicola Sella <nsella@redhat.com> - 0.4.1-3
+- Fix a memory leak on invalid input (RhBug:1866786)
+
 * Tue Jun 02 2020 Ales Matej <amatej@gmail.com> 0.4.1-2
 - Rebuild with zstd support (RhBug:1842036)