From f7d85b100f40df9648581aebd2fbe3e6a22b507b Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Wed, 23 Feb 2022 11:30:26 +0800
Subject: [PATCH] Fix CVE-2018-17942

---
 CVE-2018-17942.patch | 84 ++++++++++++++++++++++++++++++++++++++++++++
 gnulib.spec          |  6 +++-
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2018-17942.patch

diff --git a/CVE-2018-17942.patch b/CVE-2018-17942.patch
new file mode 100644
index 0000000..647ab91
--- /dev/null
+++ b/CVE-2018-17942.patch
@@ -0,0 +1,84 @@
+From ac5a6fe5b87b4d61e03645598b33c33d964c62f0 Mon Sep 17 00:00:00 2001
+From: Bruno Haible <bruno@clisp.org>
+Date: Sun, 23 Sep 2018 14:13:52 +0200
+Subject: [PATCH] vasnprintf: Fix heap memory overrun bug.
+
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+* tests/test-vasnprintf.c (test_function): Add another test.
+---
+ ChangeLog               |  9 +++++++++
+ lib/vasnprintf.c        |  4 +++-
+ tests/test-vasnprintf.c | 21 ++++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 7daeebe..1de72f0 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,12 @@
++2018-09-23  Bruno Haible  <bruno@clisp.org>
++
++       vasnprintf: Fix heap memory overrun bug.
++       Reported by Ben Pfaff <blp@cs.stanford.edu> in
++       <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
++       * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
++       memory.
++       * tests/test-vasnprintf.c (test_function): Add another test.
++
+ 2018-07-17  Paul Eggert  <eggert@cs.ucla.edu>
+ 
+ 	hard-locale: simplify by removing hard-locale.m4
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 56ffbe3..30d021b 100644
+--- a/lib/vasnprintf.c
++++ b/lib/vasnprintf.c
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
+diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c
+index 19731bc..93d81d7 100644
+--- a/tests/test-vasnprintf.c
++++ b/tests/test-vasnprintf.c
+@@ -53,7 +53,26 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...))
+       ASSERT (result != NULL);
+       ASSERT (strcmp (result, "12345") == 0);
+       ASSERT (length == 5);
+-      if (size < 6)
++      if (size < 5 + 1)
++        ASSERT (result != buf);
++      ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
++      if (result != buf)
++        free (result);
++    }
++
++  /* Note: This test assumes IEEE 754 representation of 'double' floats.  */
++  for (size = 0; size <= 8; size++)
++    {
++      size_t length;
++      char *result;
++
++      memcpy (buf, "DEADBEEF", 8);
++      length = size;
++      result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125);
++      ASSERT (result != NULL);
++      ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0);
++      ASSERT (length == 126);
++      if (size < 126 + 1)
+         ASSERT (result != buf);
+       ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0);
+       if (result != buf)
+-- 
+2.30.0
+
diff --git a/gnulib.spec b/gnulib.spec
index 786899c..b3f3bb5 100644
--- a/gnulib.spec
+++ b/gnulib.spec
@@ -1,10 +1,11 @@
 Name:             gnulib
 Version:          0
-Release:          27.20180720git
+Release:          28.20180720git
 Summary:          The GNU Portability Library
 License:          Public Domain and BSD and GPLv2+ and GPLv3 and GPLv3+ and LGPLv2 and LGPLv2+ and LGPLv3+
 URL:              https://www.gnu.org/software/gnulib
 Source0:          https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=snapshot;h=68df637;sf=tgz;name=gnulib-68df637.tar.gz#/gnulib-68df637.tar.gz
+Patch0:           CVE-2018-17942.patch
 BuildRequires:    perl-generators texinfo java-devel gettext-devel bison gperf libtool help2man git
 
 %description
@@ -114,6 +115,9 @@ fi
 %license doc/COPYINGv2
 
 %changelog
+* Wed Feb 23 2022 yaoxin <yaoxin30@huawei.com> - 0-28.20180720git
+- Fix CVE-2018-17942
+
 * Wed Jan  8 2020 sunguoshuai <sunguoshuai@huawei.com> - 0-27.20180720git
 - Delete unwanted files.
 
-- 
Gitee