From af7af76da623d591b8e19425ad0055d193082eb8 Mon Sep 17 00:00:00 2001
From: Linux_zhang <zhangruifang1@h-partners.com>
Date: Wed, 5 Nov 2025 13:59:11 +0800
Subject: [PATCH] Fix CVE-2023-31722

(cherry picked from commit e3b00c93729bde15a8927b04631f6bcc44cce746)
---
 ...-heap-memory-overflow-CVE-2023-31722.patch | 49 +++++++++++++++++++
 nasm.spec                                     |  6 ++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 backport-preproc-fix-heap-memory-overflow-CVE-2023-31722.patch

diff --git a/backport-preproc-fix-heap-memory-overflow-CVE-2023-31722.patch b/backport-preproc-fix-heap-memory-overflow-CVE-2023-31722.patch
new file mode 100644
index 0000000..1c3b63f
--- /dev/null
+++ b/backport-preproc-fix-heap-memory-overflow-CVE-2023-31722.patch
@@ -0,0 +1,49 @@
+From e39b856bdeec852e9b078dd9b7cad74caee618b4 Mon Sep 17 00:00:00 2001
+From: hongjinghao <hongjinghao@huawei.com>
+Date: Tue, 5 Sep 2023 20:28:26 +0800
+Subject: [PATCH] preproc: fix heap memory overflow CVE-2023-31722
+
+paramlen has heap memory of length nparam+1. The value of variable i
+may be greater than nparam+1, causing heap memory overflow. Therefore,
+i and nparam+1 needs to be determined in the loop.
+
+Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392857#c1
+Fixes: https://github.com/netwide-assembler/nasm/pull/83
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+---
+ asm/preproc.c   | 2 +-
+ nasmlib/alloc.c | 4 +++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/asm/preproc.c b/asm/preproc.c
+index 22b7f72f..c82b570c 100644
+--- a/asm/preproc.c
++++ b/asm/preproc.c
+@@ -7245,7 +7245,7 @@ static int expand_mmacro(Token * tline)
+      */
+     nasm_newn(paramlen, nparam+1);
+ 
+-    for (i = 1; (t = params[i]); i++) {
++    for (i = 1; i < nparam+1 && (t = params[i]); i++) {
+         bool braced = false;
+         int brace = 0;
+         int white = 0;
+diff --git a/nasmlib/alloc.c b/nasmlib/alloc.c
+index 32e181e7..b77d4821 100644
+--- a/nasmlib/alloc.c
++++ b/nasmlib/alloc.c
+@@ -74,8 +74,10 @@ void *nasm_realloc(void *q, size_t size)
+ 
+ void nasm_free(void *q)
+ {
+-    if (q)
++    if (q){
+         free(q);
++	q = NULL;
++    }
+ }
+ 
+ char *nasm_strdup(const char *s)
+-- 
+2.43.0
+
diff --git a/nasm.spec b/nasm.spec
index b4ea0d2..34cd40e 100644
--- a/nasm.spec
+++ b/nasm.spec
@@ -8,7 +8,7 @@
 
 Name:     nasm
 Version:  2.16.01
-Release:  1
+Release:  2
 Summary:  The Netwide Assembler, a portable x86 assembler with Intel-like syntax
 License:  BSD-2-Clause
 URL:      http://www.nasm.us
@@ -17,6 +17,7 @@ Source1:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version
 
 Patch6000: enable-make-check.patch
 Patch6001: fix-help-info-error.patch 
+Patch6002: backport-preproc-fix-heap-memory-overflow-CVE-2023-31722.patch
 
 BuildRequires: perl(Env) autoconf asciidoc xmlto gcc make git automake
 Obsoletes: nasm-rdoff < 2.16.01-1
@@ -77,6 +78,9 @@ make test
 %{_mandir}/man1/ndisasm*
 
 %changelog
+* Wed Nov 05 2025 Linux_zhang <zhangruifang@h-partners.com> - 2.16.01-2
+- Fix CVE-2023-31722
+
 * Thu May 18 2023 liyanan <thistleslyn@163.com> - 2.16.01-1
 - update to 2.16.01
 
-- 
Gitee