From 6202225dd015e3fdbf642b5b8457e91783b720ae Mon Sep 17 00:00:00 2001
From: Dominik Mierzejewski <dominik@greysector.net>
Date: Fri, 2 Feb 2024 13:47:00 +0100
Subject: [PATCH] backport fix for CVE-2023-52339 (#2258048, #2258046)

---
 libebml-cve-2023-52339.patch | 31 +++++++++++++++++++++++++++++++
 libebml.spec                 |  8 +++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 libebml-cve-2023-52339.patch

diff --git a/libebml-cve-2023-52339.patch b/libebml-cve-2023-52339.patch
new file mode 100644
index 0000000..4b17a1a
--- /dev/null
+++ b/libebml-cve-2023-52339.patch
@@ -0,0 +1,31 @@
+diff -up libebml-1.3.9/src/MemIOCallback.cpp.cve-2023-52339 libebml-1.3.9/src/MemIOCallback.cpp
+--- libebml-1.3.9/src/MemIOCallback.cpp.cve-2023-52339	2024-02-02 13:48:28.626522658 +0100
++++ libebml-1.3.9/src/MemIOCallback.cpp	2024-02-02 13:49:59.620078963 +0100
+@@ -68,7 +68,8 @@ uint32 MemIOCallback::read(void *Buffer,
+   if (Buffer == NULL || Size < 1)
+     return 0;
+   //If the size is larger than than the amount left in the buffer
+-  if (Size + dataBufferPos > dataBufferTotalSize) {
++  if (Size + dataBufferPos < Size || // overflow, reading too much
++      Size + dataBufferPos > dataBufferTotalSize) {
+     //We will only return the remaining data
+     memcpy(Buffer, dataBuffer + dataBufferPos, dataBufferTotalSize - dataBufferPos);
+     uint64 oldDataPos = dataBufferPos;
+@@ -95,6 +96,8 @@ void MemIOCallback::setFilePointer(int64
+ 
+ size_t MemIOCallback::write(const void *Buffer, size_t Size)
+ {
++  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
++    return 0;
+   if (dataBufferMemorySize < dataBufferPos + Size) {
+     //We need more memory!
+     dataBuffer = (binary *)realloc((void *)dataBuffer, dataBufferPos + Size);
+@@ -109,6 +112,8 @@ size_t MemIOCallback::write(const void *
+ 
+ uint32 MemIOCallback::write(IOCallback & IOToRead, size_t Size)
+ {
++  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
++    return 0;
+   if (dataBufferMemorySize < dataBufferPos + Size) {
+     //We need more memory!
+     dataBuffer = (binary *)realloc((void *)dataBuffer, dataBufferPos + Size);
diff --git a/libebml.spec b/libebml.spec
index 8c56320..e525c25 100644
--- a/libebml.spec
+++ b/libebml.spec
@@ -1,11 +1,13 @@
 Summary:    Extensible Binary Meta Language library
 Name:       libebml
 Version:    1.3.9
-Release:    1%{?dist}
+Release:    2%{?dist}
 License:    LGPLv2+
 URL:        https://www.matroska.org/
 Source:     https://dl.matroska.org/downloads/%{name}/%{name}-%{version}.tar.xz
 Patch0:     %{name}-use-system-utf8cpp.patch
+# https://github.com/Matroska-Org/libebml/pull/148
+Patch1:     %{name}-cve-2023-52339.patch
 BuildRequires: cmake3
 BuildRequires: gcc-c++
 BuildRequires: utf8cpp-devel
@@ -34,6 +36,7 @@ will use the Extensible Binary Meta Language library.
 %prep
 %setup -q
 %patch0 -p1 -b .utf8cpp
+%patch1 -p1 -b .cve-2023-52339
 rm -r src/lib/utf8-cpp
 
 
@@ -66,6 +69,9 @@ make %{?_smp_mflags}
 
 
 %changelog
+* Fri Feb 02 2024 Dominik Mierzejewski <rpm@greysector.net> - 1.3.9-2
+- backport fix for CVE-2023-52339 (#2258048, #2258046)
+
 * Tue Sep 10 2019 Dominik Mierzejewski <rpm@greysector.net> - 1.3.9-1
 - update to 1.3.9 (#1688001)