libtpms/libtpms-CVE-2021-3746.patch

diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
index 2b2d84a6..430f481f 100644
--- a/src/tpm2/NVMarshal.c
+++ b/src/tpm2/NVMarshal.c
@@ -4103,6 +4103,12 @@ INDEX_ORDERLY_RAM_Marshal(void *array, size_t array_size,
                                      datasize, buffer, size);
         }
         offset += nrh.size;
+        if (offset + sizeof(NV_RAM_HEADER) > array_size) {
+            /* nothing will fit anymore and there won't be a 0-sized
+             * terminating node (@1).
+             */
+            break;
+        }
     }
 
     written += BLOCK_SKIP_WRITE_PUSH(TRUE, buffer, size);
@@ -4144,6 +4150,16 @@ INDEX_ORDERLY_RAM_Unmarshal(void *array, size_t array_size,
          */
         nrhp = array + offset;
 
+        if (offset + sizeof(NV_RAM_HEADER) > sourceside_size) {
+            /* this case can occur with the previous entry filling up the
+             * space; in this case there will not be a 0-sized terminating
+             * node (see @1 above). We clear the rest of our space.
+             */
+            if (array_size > offset)
+                memset(nrhp, 0, array_size - offset);
+            break;
+        }
+
         /* write the NVRAM header;
            nrh->size holds the complete size including data;
            nrh->size = 0 indicates the end */
diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c
index ab503487..967105f5 100644
--- a/src/tpm2/Object.c
+++ b/src/tpm2/Object.c
@@ -284,7 +284,8 @@ FindEmptyObjectSlot(
 		    if(handle)
 			*handle = i + TRANSIENT_FIRST;
 		    // Initialize the object attributes
-		    MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
+		    // MemorySet(&object->attributes, 0, sizeof(OBJECT_ATTRIBUTES));
+		    MemorySet(object, 0, sizeof(*object)); // libtpms added: Initialize the whole object
 		    return object;
 		}
 	}