From 61a5130356f0da06744d00b9b20ad9de4ed5fe43 Mon Sep 17 00:00:00 2001
From: jackey_1024 <jikui2@huawei.com>
Date: Fri, 28 Oct 2022 09:54:50 +0800
Subject: [PATCH] busybox: fix use after free in bc module

Signed-off-by: jackey_1024 <jikui2@huawei.com>
---
 ...port-fix-use-after-free-in-bc-module.patch | 29 +++++++++++++++++++
 busybox.spec                                  |  6 +++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-use-after-free-in-bc-module.patch

diff --git a/backport-fix-use-after-free-in-bc-module.patch b/backport-fix-use-after-free-in-bc-module.patch
new file mode 100644
index 0000000..1979742
--- /dev/null
+++ b/backport-fix-use-after-free-in-bc-module.patch
@@ -0,0 +1,29 @@
+From 907e1b3a22a8092461176af45468c5b1b9bf6cc0 Mon Sep 17 00:00:00 2001
+From: jackey_1024 <jikui2@huawei.com>
+Date: Fri, 28 Oct 2022 09:45:08 +0800
+Subject: [PATCH] busybox: fix use after free in bc module
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=41d5f800a14769704082f7faeabb8435285499be
+
+Signed-off-by: jackey_1024 <jikui2@huawei.com>
+---
+ miscutils/bc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/miscutils/bc.c b/miscutils/bc.c
+index f9b08b0..4363585 100644
+--- a/miscutils/bc.c
++++ b/miscutils/bc.c
+@@ -2892,6 +2892,8 @@ static char peek_inbuf(void)
+ 	) {
+ 		xc_read_line(&G.input_buffer, G.prs.lex_input_fp);
+ 		G.prs.lex_inbuf = G.input_buffer.v;
++		// lex_next_at may point to now-freed data, update it:
++		G.prs.lex_next_at = G.prs.lex_inbuf;
+ 		if (G.input_buffer.len <= 1) // on EOF, len is 1 (NUL byte)
+ 			G.prs.lex_input_fp = NULL;
+ 	}
+-- 
+2.25.1
+
diff --git a/busybox.spec b/busybox.spec
index a70992b..c00e32b 100644
--- a/busybox.spec
+++ b/busybox.spec
@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 17
+%define RELEASE 18
 %endif
 Epoch: 1
 
@@ -22,6 +22,7 @@ Source3: busybox-dynamic.config
 
 Patch6000: backport-CVE-2022-28391.patch
 Patch6001: backport-CVE-2022-30065.patch
+Patch6002: backport-fix-use-after-free-in-bc-module.patch
 
 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@@ -97,6 +98,9 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Fri Oct 28 2022 jikui <jikui2@huawei.com> - 1:1.34.1-18
+- fix use after free in bc module
+
 * Fri Aug 19 2022 jikui <jikui2@huawei.com> - 1:1.34.1-17
 - Type:CVE
 - Id:NA