From 70a41d45b75818feaeb4c1553ec560e5ba1c38f1091f72707f436cba5b3106e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Mon, 12 Dec 2016 12:15:08 +0000
Subject: [PATCH] - Include fixes for bnc#1003580 bnc#1003579 bnc#1003577
 bnc#1013882:   * zlib-bnc1003580.patch   * zlib-bnc1013882.patch
 CVE-2016-9843

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=35
---
 zlib-bnc1003580.patch | 68 +++++++++++++++----------------------------
 zlib-bnc1013882.patch | 49 +++++++++++++++++++++++++++++++
 zlib.changes          |  5 ++--
 zlib.spec             |  2 ++
 4 files changed, 78 insertions(+), 46 deletions(-)
 create mode 100644 zlib-bnc1013882.patch

diff --git a/zlib-bnc1003580.patch b/zlib-bnc1003580.patch
index 065ce69..755e89d 100644
--- a/zlib-bnc1003580.patch
+++ b/zlib-bnc1003580.patch
@@ -1,49 +1,29 @@
-From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
+From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001
 From: Mark Adler <madler@alumni.caltech.edu>
-Date: Wed, 28 Sep 2016 20:20:25 -0700
-Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
+Date: Sat, 5 Sep 2015 17:45:55 -0700
+Subject: [PATCH] Avoid shifts of negative values inflateMark().
 
-There was a small optimization for PowerPCs to pre-increment a
-pointer when accessing a word, instead of post-incrementing. This
-required prefacing the loop with a decrement of the pointer,
-possibly pointing before the object passed. This is not compliant
-with the C standard, for which decrementing a pointer before its
-allocated memory is undefined. When tested on a modern PowerPC
-with a modern compiler, the optimization no longer has any effect.
-Due to all that, and per the recommendation of a security audit of
-the zlib code by Trail of Bits and TrustInSoft, in support of the
-Mozilla Foundation, this "optimization" was removed, in order to
-avoid the possibility of undefined behavior.
+The C standard says that bit shifts of negative integers is
+undefined.  This casts to unsigned values to assure a known
+result.
 ---
- crc32.c | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
 
-diff --git a/crc32.c b/crc32.c
-index 979a719..05733f4 100644
---- a/crc32.c
-+++ b/crc32.c
-@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+diff --git a/inflate.c b/inflate.c
+index 2889e3a..a718416 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -1506,9 +1506,10 @@ z_streamp strm;
+ {
+     struct inflate_state FAR *state;
+ 
+-    if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
++    if (strm == Z_NULL || strm->state == Z_NULL)
++        return (long)(((unsigned long)0 - 1) << 16);
+     state = (struct inflate_state FAR *)strm->state;
+-    return ((long)(state->back) << 16) +
++    return (long)(((unsigned long)((long)state->back)) << 16) +
+         (state->mode == COPY ? state->length :
+             (state->mode == MATCH ? state->was - state->length : 0));
  }
- 
- /* ========================================================================= */
--#define DOBIG4 c ^= *++buf4; \
-+#define DOBIG4 c ^= *buf4++; \
-         c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
-             crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
- #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
-@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
-     }
- 
-     buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
--    buf4--;
-     while (len >= 32) {
-         DOBIG32;
-         len -= 32;
-@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
-         DOBIG4;
-         len -= 4;
-     }
--    buf4++;
-     buf = (const unsigned char FAR *)buf4;
- 
-     if (len) do {
diff --git a/zlib-bnc1013882.patch b/zlib-bnc1013882.patch
new file mode 100644
index 0000000..065ce69
--- /dev/null
+++ b/zlib-bnc1013882.patch
@@ -0,0 +1,49 @@
+From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 28 Sep 2016 20:20:25 -0700
+Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
+
+There was a small optimization for PowerPCs to pre-increment a
+pointer when accessing a word, instead of post-incrementing. This
+required prefacing the loop with a decrement of the pointer,
+possibly pointing before the object passed. This is not compliant
+with the C standard, for which decrementing a pointer before its
+allocated memory is undefined. When tested on a modern PowerPC
+with a modern compiler, the optimization no longer has any effect.
+Due to all that, and per the recommendation of a security audit of
+the zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this "optimization" was removed, in order to
+avoid the possibility of undefined behavior.
+---
+ crc32.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/crc32.c b/crc32.c
+index 979a719..05733f4 100644
+--- a/crc32.c
++++ b/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+ 
+ /* ========================================================================= */
+-#define DOBIG4 c ^= *++buf4; \
++#define DOBIG4 c ^= *buf4++; \
+         c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+             crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+     }
+ 
+     buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+-    buf4--;
+     while (len >= 32) {
+         DOBIG32;
+         len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+         DOBIG4;
+         len -= 4;
+     }
+-    buf4++;
+     buf = (const unsigned char FAR *)buf4;
+ 
+     if (len) do {
diff --git a/zlib.changes b/zlib.changes
index fc684e3..1f2ecfe 100644
--- a/zlib.changes
+++ b/zlib.changes
@@ -1,11 +1,12 @@
 -------------------------------------------------------------------
 Sun Dec  4 12:47:51 UTC 2016 - tchvatal@suse.com
 
-- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577:
+- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882:
   * zlib-bnc1003577.patch
   * zlib-bnc1003579-part2.patch
   * zlib-bnc1003579.patch
-  * zlib-bnc1003580.patch CVE-2016-9843
+  * zlib-bnc1003580.patch
+  * zlib-bnc1013882.patch CVE-2016-9843
 
 -------------------------------------------------------------------
 Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de
diff --git a/zlib.spec b/zlib.spec
index d658556..c129396 100644
--- a/zlib.spec
+++ b/zlib.spec
@@ -37,6 +37,7 @@ Patch2:         zlib-bnc1003577.patch
 Patch3:         zlib-bnc1003579-part2.patch
 Patch4:         zlib-bnc1003579.patch
 Patch5:         zlib-bnc1003580.patch
+Patch6:         zlib-bnc1013882.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -124,6 +125,7 @@ developing applications which use minizip.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 %build
 export LDFLAGS="-Wl,-z,relro,-z,now"