From c58880c92c3444e4af68afd380b9baa88301fdf6 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Mon, 26 Nov 2018 14:13:02 +0100
Subject: [PATCH] Fixed CVE-2018-17942, gnulib: heap-based buffer overflow

---
 patch-2.7.6-CVE-2018-17942.patch | 14 ++++++++++++++
 patch.spec                       |  5 ++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 patch-2.7.6-CVE-2018-17942.patch

diff --git a/patch-2.7.6-CVE-2018-17942.patch b/patch-2.7.6-CVE-2018-17942.patch
new file mode 100644
index 0000000..5eb224e
--- /dev/null
+++ b/patch-2.7.6-CVE-2018-17942.patch
@@ -0,0 +1,14 @@
+diff -up patch-2.7.6/lib/vasnprintf.c.me patch-2.7.6/lib/vasnprintf.c
+--- patch-2.7.6/lib/vasnprintf.c.me	2018-11-26 14:02:03.401718842 +0100
++++ patch-2.7.6/lib/vasnprintf.c	2018-11-26 14:03:02.923913446 +0100
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extr
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
diff --git a/patch.spec b/patch.spec
index 7f21983..61d3b19 100644
--- a/patch.spec
+++ b/patch.spec
@@ -11,6 +11,7 @@ Source: ftp://ftp.gnu.org/gnu/patch/patch-%{version}.tar.xz
 Patch1: patch-CVE-2018-1000156.patch
 Patch2: patch-2.7.6-CVE-2018-6952.patch
 Patch3: patch-2.7.6-git-style.patch
+Patch4: patch-2.7.6-CVE-2018-17942.patch
 Patch100: patch-selinux.patch
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -41,7 +42,8 @@ applications.
 # Fix error handling with git-style patches
 # http://lists.gnu.org/archive/html/bug-patch/2018-10/msg00000.html
 %patch3 -p1 -b .git-style
-
+# CVE-2018-17942 gnulib: heap-based buffer overflow
+%patch4 -p1 -b .gnulib_buffer_overflow
 # SELinux support.
 %patch100 -p1 -b .selinux
 
@@ -69,6 +71,7 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Mon Nov 26 2018 Than Ngo <than@redhat.com> - 2.7.6-8
 - Added virtual provides for bundled gnulib library
+- Fixed CVE-2018-17942, gnulib: heap-based buffer overflow
 
 * Thu Oct 11 2018 Than Ngo <than@redhat.com> - 2.7.6-7
 - Fixed #1582675 - Patch can be crashed and coredumped with a trivial wrong command