From 8437b31578e5d15ecac07720bdc87e1aa82475ca Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 8 Nov 2022 01:59:27 -0500
Subject: [PATCH] import xmlrpc-c-1.51.0-8.el8

---
 ...-integer-overflows-CVE-2022-22822-to.patch | 92 +++++++++++++++++++
 ...overflow-on-m_groupSize-in-doProlog-.patch | 32 +++++++
 SPECS/xmlrpc-c.spec                           | 15 ++-
 3 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
 create mode 100644 SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch

diff --git a/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch b/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
new file mode 100644
index 0000000..4c507ee
--- /dev/null
+++ b/SOURCES/0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
@@ -0,0 +1,92 @@
+From ce6eddc1a167dafaac17c7bad9fa6b013fada31b Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 25 Feb 2022 13:07:07 -0500
+Subject: [PATCH 5/6] lib: Prevent more integer overflows (CVE-2022-22822 to
+ CVE-2022-22827)
+
+Backport fixes from https://github.com/libexpat/libexpat/pull/539
+
+Resolves: #2058567, #2058576, #2058282, #2058589, #2058595, #2058602
+---
+ lib/expat/xmlparse/xmlparse.c | 40 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 48adfb3..16ab82a 100644
+--- a/lib/expat/xmlparse/xmlparse.c
++++ b/lib/expat/xmlparse/xmlparse.c
+@@ -19,6 +19,7 @@ See the file copying.txt for copying permission.
+ #include <assert.h>
+ #include <limits.h>                     /* UINT_MAX */
+ #include <time.h>                       /* time() */
++#include <stdint.h>
+ 
+ #include "xmlrpc_config.h"
+ #include "c_util.h"
+@@ -1076,6 +1077,9 @@ int addBinding(XML_Parser parser,
+     ;
+   if (namespaceSeparator)
+     len++;
++  if (namespaceSeparator && (uri[len] == namespaceSeparator)) {
++    return XML_ERROR_SYNTAX;
++  }
+   if (freeBindingList) {
+     b = freeBindingList;
+     if (len > b->uriAlloc) {
+@@ -2116,10 +2120,32 @@ storeAtts(XML_Parser       const xmlParserP,
+   }
+   /* get the attributes from the tokenizer */
+   n = XmlGetAttributes(enc, attStr, attsSize, atts);
++
++
++  /* Detect and prevent integer overflow */
++  if (n > INT_MAX - nDefaultAtts) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   if (n + nDefaultAtts > attsSize) {
+     int oldAttsSize = attsSize;
+     ATTRIBUTE *temp;
++    /* Detect and prevent integer overflow */
++    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
++        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
++      return XML_ERROR_NO_MEMORY;
++    }
+     attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
++      attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
+     temp = realloc((void *)atts, attsSize * sizeof(ATTRIBUTE));
+     if (!temp)
+       return XML_ERROR_NO_MEMORY;
+@@ -2297,6 +2323,20 @@ storeAtts(XML_Parser       const xmlParserP,
+   n = i + binding->uriLen;
+   if (n > binding->uriAlloc) {
+     TAG *p;
++
++    /* Detect and prevent integer overflow */
++    if (n > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
+     XML_Char *uri = malloc((n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (!uri)
+       return XML_ERROR_NO_MEMORY;
+-- 
+2.31.1
+
diff --git a/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch b/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
new file mode 100644
index 0000000..9290060
--- /dev/null
+++ b/SOURCES/0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
@@ -0,0 +1,32 @@
+From 06d354807ac297374973631a6418edf7e3fcbf30 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 28 Feb 2022 10:43:23 -0500
+Subject: [PATCH 6/6] Prevent integer overflow on m_groupSize in doProlog
+ (CVE-2021-46143)
+
+Backported from upstream https://github.com/libexpat/libexpat/pull/538
+
+Resolves: #2058560
+---
+ lib/expat/xmlparse/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/expat/xmlparse/xmlparse.c b/lib/expat/xmlparse/xmlparse.c
+index 16ab82a..b9aa927 100644
+--- a/lib/expat/xmlparse/xmlparse.c
++++ b/lib/expat/xmlparse/xmlparse.c
+@@ -3991,6 +3991,11 @@ doProlog(XML_Parser       const xmlParserP,
+     case XML_ROLE_GROUP_OPEN:
+       if (prologState.level >= groupSize) {
+         if (groupSize) {
++          /* Detect and prevent integer overflow */
++          if (groupSize > (unsigned int)(-1) / 2u) {
++            *errorCodeP = XML_ERROR_NO_MEMORY;
++            return;
++          }
+           char *temp = realloc(groupConnector, groupSize *= 2);
+           if (!temp) {
+             *errorCodeP = XML_ERROR_NO_MEMORY;
+-- 
+2.31.1
+
diff --git a/SPECS/xmlrpc-c.spec b/SPECS/xmlrpc-c.spec
index c47e021..9732d67 100644
--- a/SPECS/xmlrpc-c.spec
+++ b/SPECS/xmlrpc-c.spec
@@ -6,7 +6,7 @@
 
 Name:           xmlrpc-c
 Version:        1.51.0
-Release:        6%{?dist}
+Release:        8%{?dist}
 Summary:        Lightweight RPC library based on XML and HTTP
 # See doc/COPYING for details.
 # The Python 1.5.2 license used by a few files is just BSD.
@@ -25,6 +25,8 @@ Patch103:       0003-allow-30x-redirections.patch
 #Patch104:       xmlrpc-c-printf-size_t.patch
 #Patch105:       xmlrpc-c-check-vasprintf-return-value.patch
 Patch104:       0004-Add-missing-validation-of-encoding-CVE-2022-25235.patch
+Patch105:       0005-lib-Prevent-more-integer-overflows-CVE-2022-22822-to.patch
+Patch106:       0006-Prevent-integer-overflow-on-m_groupSize-in-doProlog-.patch
 
 # Backported patches
 # https://sourceforge.net/p/xmlrpc-c/code/2981/
@@ -192,8 +194,17 @@ This package contains some handy XML-RPC demo applications.
 %{_bindir}/xmlrpc_dumpserver
 
 %changelog
+* Thu Apr 14 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-8
+- Address some Coverity issues in the patch set
+
+* Tue Apr 05 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-7
+- lib: Prevent more integer overflows (CVE-2022-22822 to CVE-2022-22827)
+  (#2058567, #2058576, #2058582, #2058589, #2058595, #2058602)
+- Prevent integer overflow on m_groupSize in doProlog
+  (CVE-2021-46143) (#2058560)
+
 * Thu Mar 03 2022 Rob Crittenden <rcritten@redhat.com> - 1.51.0-6
-- Add missing validation of encoding (CVE-2022-25235) (#2058114)
+- Add missing validation of encoding (CVE-2022-25235) (#2070481)
 
 * Thu Apr 19 2018 Adam Williamson <awilliam@redhat.com> - 1.51.0-5
 - Backport upstream fix for console spam with debug messages (#1541868)