From acfe72424e74739e9d89644aa86e0022e1edaa13 Mon Sep 17 00:00:00 2001
From: zhanghua1831 <zhanghua1831@163.com>
Date: Wed, 16 Sep 2020 15:31:09 +0800
Subject: [PATCH] fix CVE-2019-18609

---
 CVE-2019-18609.patch | 47 ++++++++++++++++++++++++++++++++++++++++++++
 librabbitmq.spec     |  6 +++++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-18609.patch

diff --git a/CVE-2019-18609.patch b/CVE-2019-18609.patch
new file mode 100644
index 0000000..d522ab2
--- /dev/null
+++ b/CVE-2019-18609.patch
@@ -0,0 +1,47 @@
+From fc85be7123050b91b054e45b91c78d3241a5047a Mon Sep 17 00:00:00 2001
+From: Alan Antonuk <alan.antonuk@gmail.com>
+Date: Sun, 3 Nov 2019 23:50:07 -0800
+Subject: [PATCH] lib: check frame_size is >= INT32_MAX
+
+When parsing a frame header, validate that the frame_size is less than
+or equal to INT32_MAX. Given frame_max is limited between 0 and
+INT32_MAX in amqp_login and friends, this does not change the API.
+
+This prevents a potential buffer overflow when a malicious client sends
+a frame_size that is close to UINT32_MAX, in which causes an overflow
+when computing state->target_size resulting in a small value there. A
+buffer is then allocated with the small amount, then memcopy copies the
+frame_size writing to memory beyond the end of the buffer.
+---
+ librabbitmq/amqp_connection.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/librabbitmq/amqp_connection.c b/librabbitmq/amqp_connection.c
+index 034b2e96..b106f70a 100644
+--- a/librabbitmq/amqp_connection.c
++++ b/librabbitmq/amqp_connection.c
+@@ -287,12 +287,21 @@ int amqp_handle_input(amqp_connection_state_t state, amqp_bytes_t received_data,
+     case CONNECTION_STATE_HEADER: {
+       amqp_channel_t channel;
+       amqp_pool_t *channel_pool;
+-      /* frame length is 3 bytes in */
++      uint32_t frame_size;
++
+       channel = amqp_d16(amqp_offset(raw_frame, 1));
+ 
+-      state->target_size =
+-          amqp_d32(amqp_offset(raw_frame, 3)) + HEADER_SIZE + FOOTER_SIZE;
++      /* frame length is 3 bytes in */
++      frame_size = amqp_d32(amqp_offset(raw_frame, 3));
++      /* To prevent the target_size calculation below from overflowing, check
++       * that the stated frame_size is smaller than a signed 32-bit. Given
++       * the library only allows configuring frame_max as an int32_t, and
++       * frame_size is uint32_t, the math below is safe from overflow. */
++      if (frame_size >= INT32_MAX) {
++        return AMQP_STATUS_BAD_AMQP_DATA;
++      }
+ 
++      state->target_size = frame_size + HEADER_SIZE + FOOTER_SIZE;
+       if ((size_t)state->frame_max < state->target_size) {
+         return AMQP_STATUS_BAD_AMQP_DATA;
+       }
diff --git a/librabbitmq.spec b/librabbitmq.spec
index af2560a..8936e9f 100644
--- a/librabbitmq.spec
+++ b/librabbitmq.spec
@@ -4,12 +4,13 @@
 
 Name:      librabbitmq
 Version:   0.9.0
-Release:   3
+Release:   4
 Summary:   The AMQP client library
 License:   MIT
 URL:       https://github.com/alanxz/rabbitmq-c
 
 Source0:   https://github.com/alanxz/%{project_name}/archive/%{git_commit}/%{project_name}-%{version}-%{git_short_commit}.tar.gz
+Patch0000: CVE-2019-18609.patch
 
 BuildRequires:	cmake > 2.8
 BuildRequires:	popt-devel > 1.14
@@ -66,5 +67,8 @@ make test
 
 
 %changelog
+* Wed Sep 16 2020 zhanghua <zhanghua40@huawei.com> - 0.9.0-4
+- Fix CVE-2019-18609
+
 * Sat Dec 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.9.0-3
 - Package init