From 4cacf51386fe9d0e3c529490a05e640fba792ad1 Mon Sep 17 00:00:00 2001
From: Jonathan Behrens <jbehrens@microsoft.com>
Date: Fri, 27 Oct 2023 11:43:34 -0700
Subject: [PATCH] Fix zhash CVE-2023-46228 (#6615)

---
 SPECS/zchunk/CVE-2023-46228.patch | 107 ++++++++++++++++++++++++++++++
 SPECS/zchunk/zchunk.spec          |   8 ++-
 2 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/zchunk/CVE-2023-46228.patch

diff --git a/SPECS/zchunk/CVE-2023-46228.patch b/SPECS/zchunk/CVE-2023-46228.patch
new file mode 100644
index 0000000000..8d3015e00b
--- /dev/null
+++ b/SPECS/zchunk/CVE-2023-46228.patch
@@ -0,0 +1,107 @@
+Modified patch 08aec2b4dfd7f709b6e3d511411ffcc83ed4efbe to apply to CBL-Mariner: Rebased onto version 1.1.16
+Modified-by: Jonathan Behrens <jbehrens@microsoft.com>
+
+From 9af4517ab18bdd36b406cbb5e5412142768538e6 Mon Sep 17 00:00:00 2001
+From: Jonathan Dieter <jdieter@gmail.com>
+Date: Thu, 5 Oct 2023 19:52:18 +0100
+Subject: [PATCH] Handle overflow errors in malformed zchunk files
+
+Thanks to Agostino Sarubbo of Gentoo for the heads up!
+
+Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
+---
+ src/lib/comp/comp.c      |  6 ++++++
+ src/lib/comp/zstd/zstd.c |  6 ++++++
+ src/lib/dl/multipart.c   |  6 ++++++
+ src/lib/header.c         | 17 +++++++++++++++++
+ 4 files changed, 35 insertions(+)
+
+diff --git a/src/lib/comp/comp.c b/src/lib/comp/comp.c
+index 89b3301..c7faf04 100644
+--- a/src/lib/comp/comp.c
++++ b/src/lib/comp/comp.c
+@@ -115,6 +115,12 @@ static bool comp_add_to_data(zckCtx *zck, zckComp *comp, const char *src,
+     ALLOCD_BOOL(zck, comp);
+     ALLOCD_BOOL(zck, src);
+ 
++    if((comp->data_size > comp->data_size + src_size) ||
++       (src_size > comp->data_size + src_size)) {
++        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading data");
++        return false;
++    }
++
+     comp->data = zrealloc(comp->data, comp->data_size + src_size);
+     zck_log(ZCK_LOG_DEBUG, "Adding %lu bytes to compressed buffer",
+         src_size);
+diff --git a/src/lib/comp/zstd/zstd.c b/src/lib/comp/zstd/zstd.c
+index 628edc7..1e02dbb 100644
+--- a/src/lib/comp/zstd/zstd.c
++++ b/src/lib/comp/zstd/zstd.c
+@@ -115,6 +115,12 @@ static ssize_t compress(zckCtx *zck, zckComp *comp, const char *src,
+     ALLOCD_INT(zck, dst_size);
+     ALLOCD_INT(zck, comp);
+ 
++    if((comp->dc_data_size > comp->dc_data_size + src_size) ||
++       (src_size > comp->dc_data_size + src_size)) {
++        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading decompressed data");
++        return false;
++    }
++
+     comp->dc_data = zrealloc(comp->dc_data, comp->dc_data_size + src_size);
+ 
+     memcpy(comp->dc_data + comp->dc_data_size, src, src_size);
+diff --git a/src/lib/dl/multipart.c b/src/lib/dl/multipart.c
+index f8c11df..e67f9e2 100644
+--- a/src/lib/dl/multipart.c
++++ b/src/lib/dl/multipart.c
+@@ -119,6 +119,12 @@ size_t multipart_extract(zckDL *dl, char *b, size_t l) {
+ 
+     /* Add new data to stored buffer */
+     if(mp->buffer) {
++        if((mp->buffer_len > mp->buffer_len + l) ||
++           (l > mp->buffer_len + l)) {
++            zck_log(ZCK_LOG_ERROR, "Integer overflow when extracting multipart data");
++            return 0;
++        }
++
+         buf = zrealloc(mp->buffer, mp->buffer_len + l);
+         memcpy(buf + mp->buffer_len, b, l);
+         l = mp->buffer_len + l;
+diff --git a/src/lib/header.c b/src/lib/header.c
+index 38b587b..9f3709a 100644
+--- a/src/lib/header.c
++++ b/src/lib/header.c
+@@ -59,6 +59,17 @@ static bool read_optional_element(zckCtx *zck, size_t id, size_t data_size,
+ }
+ 
+ static bool read_header_from_file(zckCtx *zck) {
++    /* Verify that lead_size and header_length have been set and are legit */
++    if(zck->lead_size == 0 || zck->header_length == 0) {
++        set_error(zck, "Lead and header sizes are both 0.  Have you run zck_read_lead() yet?");
++        return false;
++    }
++    if((zck->lead_size > zck->lead_size + zck->header_length) ||
++       (zck->header_length > zck->lead_size + zck->header_length)) {
++        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading header");
++        return false;
++    }
++
+     /* Allocate header and store any extra bytes at beginning of header */
+     zck->header = zrealloc(zck->header, zck->lead_size + zck->header_length);
+     zck->lead_string = zck->header;
+@@ -444,6 +455,12 @@ static bool read_lead(zckCtx *zck) {
+     /* Set header digest location */
+     zck->hdr_digest_loc = length;
+ 
++    /* Verify that we're not going to overflow */
++    if(length > length + zck->hash_type.digest_size) {
++        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading lead");
++        return false;
++    }
++
+     /* Read header digest */
+     zck_log(ZCK_LOG_DEBUG, "Reading header digest");
+     header = zrealloc(header, length + zck->hash_type.digest_size);
+-- 
+2.34.1
+
diff --git a/SPECS/zchunk/zchunk.spec b/SPECS/zchunk/zchunk.spec
index cfc5cf1959..1317f45d03 100644
--- a/SPECS/zchunk/zchunk.spec
+++ b/SPECS/zchunk/zchunk.spec
@@ -1,13 +1,14 @@
 Summary:        Compressed file format
 Name:           zchunk
 Version:        1.1.16
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD 2-Clause AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://github.com/zchunk/zchunk
 Source0:        https://github.com/zchunk/zchunk/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2023-46228.patch
 BuildRequires:  curl-devel
 BuildRequires:  meson
 BuildRequires:  openssl-devel
@@ -49,7 +50,7 @@ This package contains the headers necessary for building against the zchunk
 library, libzck.
 
 %prep
-%setup -q
+%autosetup -p1
 # Remove bundled sha libraries
 rm -rf src/lib/hash/sha*
 
@@ -87,6 +88,9 @@ DESTDIR=%{buildroot}/ ninja install
 %{_includedir}/zck.h
 
 %changelog
+* Mon Oct 23 2023 Jonathan Behrens <jbehrens@microsoft.com> - 1.1.16-3
+- Patch CVE-2023-46228
+
 * Mon Apr 11 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.1.16-2
 - Fixing invalid source URL.