void-packages/srcpkgs/matio/patches/CVE-2019-20020.patch

From 8138e767bf6df7cccf1664f3a854e596628fdb2d Mon Sep 17 00:00:00 2001
From: Nathan Owens <ndowens04@gmail.com>
Date: Sat, 28 Dec 2019 18:25:58 -0600
Subject: [PATCH] matio: CVE-2019-20020 patch

Signed-off-by: Nathan Owens <ndowens04@gmail.com>
---
 src/mat5.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/mat5.c b/src/mat5.c
index abdb351..776f233 100644
--- a/src/mat5.c
+++ b/src/mat5.c
@@ -980,10 +980,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar )
                 /* Rank and Dimension */
                 if ( uncomp_buf[0] == MAT_T_INT32 ) {
                     int j;
+                    size_t size;
                     cells[i]->rank = uncomp_buf[1];
                     nbytes -= cells[i]->rank;
                     cells[i]->rank /= 4;
-                    cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims));
+                    if ( 0 == do_clean && cells[i]->rank > 13 ) {
+                        int rank = cells[i]->rank;
+                        cells[i]->rank = 0;
+                        Mat_Critical("%d is not a valid rank", rank);
+                        continue;
+                    }
+                    err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims));
+                    if ( err ) {
+                        if ( do_clean )
+                            free(dims);
+                        Mat_VarFree(cells[i]);
+                        cells[i] = NULL;
+                        Mat_Critical("Integer multiplication overflow");
+                        continue;
+                    }
+                    cells[i]->dims = (size_t*)malloc(size);
                     if ( mat->byteswap ) {
                         for ( j = 0; j < cells[i]->rank; j++ )
                             cells[i]->dims[j] = Mat_uint32Swap(dims + j);
-- 
2.24.1