From 8daf88e55901bd8a7c379524e5be57863416d33c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 21 Oct 2021 14:19:04 +0200
Subject: [PATCH] Fix issues in bundled libopts, spotted by covscan

Resolves: #1938730
Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 gnutls-3.7.2-libopts-covscan.patch | 72 ++++++++++++++++++++++++++++++
 gnutls.spec                        |  6 ++-
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.7.2-libopts-covscan.patch

diff --git a/gnutls-3.7.2-libopts-covscan.patch b/gnutls-3.7.2-libopts-covscan.patch
new file mode 100644
index 0000000..a85738f
--- /dev/null
+++ b/gnutls-3.7.2-libopts-covscan.patch
@@ -0,0 +1,72 @@
+From de11338de900f5c8840268264bceccbf76cca34f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 21 Oct 2021 12:19:30 +0200
+Subject: [PATCH 1/2] autoopts: makeshell: use ferror before fclose
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ src/libopts/makeshell.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/libopts/makeshell.c b/src/libopts/makeshell.c
+index b6cb441a..7eb17a1f 100644
+--- a/src/libopts/makeshell.c
++++ b/src/libopts/makeshell.c
+@@ -164,9 +164,8 @@ optionParseShell(tOptions * opts)
+ #ifdef HAVE_FCHMOD
+     fchmod(STDOUT_FILENO, 0755);
+ #endif
+-    fclose(stdout);
+ 
+-    if (ferror(stdout))
++    if (ferror(stdout) || fclose(stdout))
+         fserr_exit(opts->pzProgName, zwriting, zstdout_name);
+ 
+     AGFREE(script_text);
+-- 
+2.31.1
+
+
+From 161097d36b608b615482e42e56a465c9fd740c26 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 21 Oct 2021 12:43:07 +0200
+Subject: [PATCH 2/2] autoopts: load: fix resource leak in error path
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ src/libopts/load.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopts/load.c b/src/libopts/load.c
+index 3f1ce2e6..ad1c4584 100644
+--- a/src/libopts/load.c
++++ b/src/libopts/load.c
+@@ -219,8 +219,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
+      *  IF we cannot find a directory name separator,
+      *  THEN we do not have a path name to our executable file.
+      */
+-    if (pz == NULL)
++    if (pz == NULL) {
++        if (path != prg_path)
++            AGFREE(path);
+         return false;
++    }
+ 
+     fname    += skip;
+     fname_len = strlen(fname) + 1; // + NUL byte
+@@ -230,8 +233,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
+      *  Concatenate the file name to the end of the executable path.
+      *  The result may be either a file or a directory.
+      */
+-    if (dir_len + fname_len > (unsigned)b_sz)
++    if (dir_len + fname_len > (unsigned)b_sz) {
++        if (path != prg_path)
++            AGFREE(path);
+         return false;
++    }
+ 
+     memcpy(buf, path, dir_len);
+     memcpy(buf + dir_len, fname, fname_len);
+-- 
+2.31.1
+
diff --git a/gnutls.spec b/gnutls.spec
index 5f1265b..b5e6c20 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -1,11 +1,12 @@
 # This spec file has been automatically updated
 Version:	3.7.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.7.2-config-allowlisting.patch
 Patch4:	gnutls-3.7.2-key-share-ecdhx.patch
 Patch5:	gnutls-3.7.2-enable-intel-cet.patch
+Patch6: gnutls-3.7.2-libopts-covscan.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@@ -321,6 +322,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Thu Oct 21 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-8
+- Fix issues in bundled libopts, spotted by covscan (#1938730)
+
 * Tue Oct 12 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-7
 - Enable Intel CET
 - Remove unnecessary CCASFLAGS setting for annocheck