From ec98cd4071cee2c6e984387f0066f2f8c73f7bd1 Mon Sep 17 00:00:00 2001
From: Gwyn Ciesla <gwync@protonmail.com>
Date: Mon, 18 May 2020 10:47:58 -0500
Subject: [PATCH] PAtch for CVE-2018-10756

---
 ...adf8e5e1c2b48791f9d22fc8c747e974180e.patch | 62 +++++++++++++++++++
 transmission.spec                             |  6 +-
 2 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 2123adf8e5e1c2b48791f9d22fc8c747e974180e.patch

diff --git a/2123adf8e5e1c2b48791f9d22fc8c747e974180e.patch b/2123adf8e5e1c2b48791f9d22fc8c747e974180e.patch
new file mode 100644
index 0000000..6ce93dd
--- /dev/null
+++ b/2123adf8e5e1c2b48791f9d22fc8c747e974180e.patch
@@ -0,0 +1,62 @@
+--- libtransmission/variant.c~	2018-05-01 12:21:08.000000000 -0500
++++ libtransmission/variant.c	2020-05-18 10:21:27.554214128 -0500
+@@ -820,7 +820,7 @@
+ struct SaveNode
+ {
+   const tr_variant * v;
+-  tr_variant sorted;
++  tr_variant* sorted;
+   size_t childIndex;
+   bool isVisited;
+ };
+@@ -849,26 +849,33 @@
+ 
+       qsort (tmp, n, sizeof (struct KeyIndex), compareKeyIndex);
+ 
+-      tr_variantInitDict (&node->sorted, n);
++      node->sorted = tr_new(tr_variant, 1);
++      tr_variantInitDict (node->sorted, n);
+       for (i=0; i<n; ++i)
+-        node->sorted.val.l.vals[i] = *tmp[i].val;
++        node->sorted->val.l.vals[i] = *tmp[i].val;
+       node->sorted.val.l.count = n;
+ 
+       tr_free (tmp);
+ 
+-      node->v = &node->sorted;
++      v = node->sorted;
+     }
+   else
+     {
+-      node->v = v;
++      node->sorted = NULL;
+     }
++    
++    node->v = v;
+ }
+ 
+ static void
+ nodeDestruct (struct SaveNode * node)
+ {
+-  if (node->v == &node->sorted)
+-    tr_free (node->sorted.val.l.vals);
++    //TR_ASSERT(node != NULL);
++    if (node->sorted != NULL)
++    {
++        tr_free(node->sorted->val.l.vals);
++        tr_free(node->sorted);    
++    }
+ }
+ 
+ /**
+--- libtransmission/variant.c~	2020-05-18 10:21:49.000000000 -0500
++++ libtransmission/variant.c	2020-05-18 10:24:34.673648865 -0500
+@@ -853,7 +853,7 @@
+       tr_variantInitDict (node->sorted, n);
+       for (i=0; i<n; ++i)
+         node->sorted->val.l.vals[i] = *tmp[i].val;
+-      node->sorted.val.l.count = n;
++      node->sorted->val.l.count = n;
+ 
+       tr_free (tmp);
+ 
diff --git a/transmission.spec b/transmission.spec
index 85ce028..8afb6b1 100644
--- a/transmission.spec
+++ b/transmission.spec
@@ -2,7 +2,7 @@
 
 Name:           transmission
 Version:        2.94
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        A lightweight GTK+ BitTorrent client
 # See COPYING. This licensing situation is... special.
 License:        MIT and GPLv2
@@ -16,6 +16,7 @@ Patch2:		transmission-fdlimits.patch
 # Fix the DBus name to match the app name for flatpak builds
 # https://github.com/transmission/transmission/pull/847
 Patch3:         0001-gtk-use-com.transmissionbt.Transmission.-D-Bus-names.patch
+Patch4:         2123adf8e5e1c2b48791f9d22fc8c747e974180e.patch
 
 BuildRequires:  openssl-devel >= 1.1.0
 BuildRequires:  glib2-devel >= 2.32.0
@@ -226,6 +227,9 @@ EOF
 %doc %{_mandir}/man1/transmission-qt.*
 
 %changelog
+* Mon May 18 2020 Gwyn Ciesla <gwync@protonmail.com> - 2.94-9
+- Backported patch for CVE-2018-10756
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.94-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild