From 4661d38bc394c301f3f4a8c9103102f791c1246e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 21 Jan 2020 16:30:28 -0500
Subject: [PATCH] import libmspack-0.7-0.3.alpha.el8.4

---
 ...HM-file-entries-that-are-blank-beca.patch} |  6 +-
 ...uffer-is-one-byte-too-small-for-max.patch} |  6 +-
 ...ounds-check-on-CHM-PMGI-PMGL-chunk-n.patch | 33 -----------
 ...hecks-when-looking-for-control-files.patch | 56 +++++++++++++++++++
 SPECS/libmspack.spec                          | 18 ++++--
 5 files changed, 75 insertions(+), 44 deletions(-)
 rename SOURCES/{0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch => 0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch} (89%)
 rename SOURCES/{0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch => 0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch} (93%)
 delete mode 100644 SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch
 create mode 100644 SOURCES/0003-length-checks-when-looking-for-control-files.patch

diff --git a/SOURCES/0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch b/SOURCES/0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
similarity index 89%
rename from SOURCES/0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
rename to SOURCES/0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
index c035023..2cc17a6 100644
--- a/SOURCES/0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
+++ b/SOURCES/0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
@@ -1,7 +1,7 @@
-From a68e54542c6f83eb2ee95a88482badbf36840049 Mon Sep 17 00:00:00 2001
+From b86a2e455cc4d3f586367ab05af1f1be00c6df65 Mon Sep 17 00:00:00 2001
 From: Stuart Caie <kyzer@cabextract.org.uk>
 Date: Wed, 17 Oct 2018 11:29:03 +0100
-Subject: [PATCH 2/3] Avoid returning CHM file entries that are "blank" because
+Subject: [PATCH 1/3] Avoid returning CHM file entries that are "blank" because
  they have embedded null bytes
 
 (cherry picked from commit 8759da8db6ec9e866cb8eb143313f397f925bb4f)
@@ -32,5 +32,5 @@ index b3f7fee..1d198bf 100644
         * offset 0 with length 0. We want to keep empty files, but not
         * directory names, which end with a "/" */
 -- 
-2.19.0.rc0
+2.22.0
 
diff --git a/SOURCES/0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch b/SOURCES/0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
similarity index 93%
rename from SOURCES/0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
rename to SOURCES/0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
index fcb0429..970b178 100644
--- a/SOURCES/0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
+++ b/SOURCES/0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
@@ -1,7 +1,7 @@
-From c04c748cc922561d4461b2929cbf1b3c1ccd42a3 Mon Sep 17 00:00:00 2001
+From e31767785bc0922a953bbd1ef6428bf319ba2d2b Mon Sep 17 00:00:00 2001
 From: Stuart Caie <kyzer@cabextract.org.uk>
 Date: Wed, 17 Oct 2018 11:33:35 +0100
-Subject: [PATCH 1/3] CAB block input buffer is one byte too small for maximal
+Subject: [PATCH 2/3] CAB block input buffer is one byte too small for maximal
  Quantum block
 
 (cherry picked from commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2)
@@ -45,5 +45,5 @@ index 59cf95e..25cebcb 100644
  
  struct mscab_decompressor_p {
 -- 
-2.19.0.rc0
+2.22.0
 
diff --git a/SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch b/SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch
deleted file mode 100644
index 27b9f84..0000000
--- a/SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 86cca984516664267a3f783dcdf84ac918494a02 Mon Sep 17 00:00:00 2001
-From: Stuart Caie <kyzer@cabextract.org.uk>
-Date: Sat, 12 May 2018 10:51:34 +0100
-Subject: [PATCH 3/3] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CH?=
- =?UTF-8?q?M=20PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filena?=
- =?UTF-8?q?mes.=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-(cherry picked from commit 72e70a921f0f07fee748aec2274b30784e1d312a)
----
- libmspack/mspack/chmd.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/libmspack/mspack/chmd.c b/libmspack/mspack/chmd.c
-index 1d198bf..45fa0ec 100644
---- a/libmspack/mspack/chmd.c
-+++ b/libmspack/mspack/chmd.c
-@@ -447,7 +447,10 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
-     while (num_entries--) {
-       READ_ENCINT(name_len);
-       if (name_len > (unsigned int) (end - p)) goto chunk_end;
-+      /* consider blank filenames to be an error */
-+      if (name_len == 0) goto chunk_end;
-       name = p; p += name_len;
-+
-       READ_ENCINT(section);
-       READ_ENCINT(offset);
-       READ_ENCINT(length);
--- 
-2.19.0.rc0
-
diff --git a/SOURCES/0003-length-checks-when-looking-for-control-files.patch b/SOURCES/0003-length-checks-when-looking-for-control-files.patch
new file mode 100644
index 0000000..220561c
--- /dev/null
+++ b/SOURCES/0003-length-checks-when-looking-for-control-files.patch
@@ -0,0 +1,56 @@
+From e50806b8d3eb2af019def3fa932e7edf602ce51f Mon Sep 17 00:00:00 2001
+From: Stuart Caie <kyzer@cabextract.org.uk>
+Date: Mon, 18 Feb 2019 13:04:58 +0000
+Subject: [PATCH 3/3] length checks when looking for control files
+
+(cherry picked from commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d)
+---
+ libmspack/mspack/chmd.c | 32 +++++++++++++++-----------------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/libmspack/mspack/chmd.c b/libmspack/mspack/chmd.c
+index 1d198bf..4c46db8 100644
+--- a/libmspack/mspack/chmd.c
++++ b/libmspack/mspack/chmd.c
+@@ -482,23 +482,21 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh,
+       fi->filename[name_len] = '\0';
+ 
+       if (name[0] == ':' && name[1] == ':') {
+-	/* system file */
+-	if (mspack_memcmp(&name[2], &content_name[2], 31L) == 0) {
+-	  if (mspack_memcmp(&name[33], &content_name[33], 8L) == 0) {
+-	    chm->sec1.content = fi;
+-	  }
+-	  else if (mspack_memcmp(&name[33], &control_name[33], 11L) == 0) {
+-	    chm->sec1.control = fi;
+-	  }
+-	  else if (mspack_memcmp(&name[33], &spaninfo_name[33], 8L) == 0) {
+-	    chm->sec1.spaninfo = fi;
+-	  }
+-	  else if (mspack_memcmp(&name[33], &rtable_name[33], 72L) == 0) {
+-	    chm->sec1.rtable = fi;
+-	  }
+-	}
+-	fi->next = chm->sysfiles;
+-	chm->sysfiles = fi;
++        /* system file */
++        if (name_len == 40 && mspack_memcmp(name, content_name, 40) == 0) {
++          chm->sec1.content = fi;
++        }
++        else if (name_len == 44 && mspack_memcmp(name, control_name, 44) == 0) {
++          chm->sec1.control = fi;
++        }
++        else if (name_len == 41 && mspack_memcmp(name, spaninfo_name, 41) == 0) {
++          chm->sec1.spaninfo = fi;
++        }
++        else if (name_len == 105 && mspack_memcmp(name, rtable_name, 105) == 0) {
++          chm->sec1.rtable = fi;
++        }
++        fi->next = chm->sysfiles;
++        chm->sysfiles = fi;
+       }
+       else {
+ 	/* normal file */
+-- 
+2.22.0
+
diff --git a/SPECS/libmspack.spec b/SPECS/libmspack.spec
index 7159b68..11a0afb 100644
--- a/SPECS/libmspack.spec
+++ b/SPECS/libmspack.spec
@@ -1,6 +1,6 @@
 Name:           libmspack
 Version:        0.7
-Release:        0.1.alpha%{?dist}.3
+Release:        0.3.alpha%{?dist}.4
 Summary:        Library for CAB and related files compression and decompression
 
 Group:          System Environment/Libraries
@@ -11,10 +11,10 @@ Source0:        https://github.com/kyz/libmspack/archive/v0.7alpha/%{name}-v0.7a
 Patch0:         %{name}-0.4alpha-doc.patch
 
 # Fixes for CVE-2018-18584 CVE-2018-18585
-Patch1:         0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
-Patch2:         0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
-# Fix for CVE-2018-14680
-Patch3:         0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch
+Patch1:         0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch
+Patch2:         0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch
+# Fix for CVE-CVE-2019-1010305
+Patch3:         0003-length-checks-when-looking-for-control-files.patch
 
 BuildRequires:  doxygen
 BuildRequires:  gcc
@@ -98,6 +98,14 @@ rm $RPM_BUILD_ROOT%{_bindir}/oabextract
 
 
 %changelog
+* Fri Aug  2 2019 Richard W.M. Jones <rjones@redhat.com> - 0.7-0.2.alpha.4
+- Fix for CVE-2019-1010305
+- Remove "fix" for CVE-2018-14680 as this fix is included in base tar ball.
+  resolves: rhbz#1736745, rhbz#1736743
+
+* Thu Mar 21 2019 Richard W.M. Jones <rjones@redhat.com> - 0.7-0.2.alpha.3
+- Add gating tests resolves: rhbz#1682770
+
 * Mon Dec 10 2018 Richard W.M. Jones <rjones@redhat.com> - 0.7-0.1.alpha.3
 - Fix for CVE-2018-14680
   resolves: rhbz#1610937