From ab0531d59e13e7d170ddaa0039c84b246162c574 Mon Sep 17 00:00:00 2001
From: André Fabian Silva Delgado <emulatorman@parabola.nu>
Date: Sun, 5 Feb 2017 23:31:18 -0300
Subject: p7zip-16.02-3.parabola1: add fix for CVE-2016-9296 - FS#52841 ->
 https://bugs.archlinux.org/task/52841

---
 libre/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 libre/p7zip/PKGBUILD            |  9 +++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 libre/p7zip/CVE-2016-9296.patch

(limited to 'libre/p7zip')

diff --git a/libre/p7zip/CVE-2016-9296.patch b/libre/p7zip/CVE-2016-9296.patch
new file mode 100644
index 000000000..773f92a46
--- /dev/null
+++ b/libre/p7zip/CVE-2016-9296.patch
@@ -0,0 +1,12 @@
+--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig	2016-11-21 01:42:29.460901230 +0000
++++ ./CPP/7zip/Archive/7z/7zIn.cpp	2016-11-21 01:42:57.481197725 +0000
+@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
+       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
+         ThrowIncorrect();
+   }
+-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
++  if (folders.PackPositions)
++      HeadersSize += folders.PackPositions[folders.NumPackStreams];
+   return S_OK;
+ }
+ 
diff --git a/libre/p7zip/PKGBUILD b/libre/p7zip/PKGBUILD
index eb4ff80be..254611af3 100644
--- a/libre/p7zip/PKGBUILD
+++ b/libre/p7zip/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id: PKGBUILD 273435 2016-08-07 08:39:24Z foutrelis $
+# $Id: PKGBUILD 288091 2017-02-05 19:09:19Z foutrelis $
 # Maintainer (Arch): Evangelos Foutras <evangelos@foutrelis.com>
 # Contributor (Arch): Gaetan Bisson <bisson@archlinux.org>
 # Contributor (Arch): Thayer Williams <thayer@archlinux.org>
@@ -10,7 +10,7 @@
 _pkgname=p7zip-libre
 pkgname=p7zip
 pkgver=16.02
-pkgrel=2.parabola1
+pkgrel=3.parabola1
 pkgdesc="Command-line file archiver with high compression ratio"
 arch=('i686' 'x86_64' 'armv7h')
 url="http://p7zip.sourceforge.net/"
@@ -23,9 +23,11 @@ makedepends_x86_64=('yasm')
 install=$pkgname.install
 mksource=(https://downloads.sourceforge.net/project/$pkgname/$pkgname/$pkgver/${pkgname}_${pkgver}_src_all.tar.bz2)
 source=(https://repo.parabola.nu/other/${_pkgname}/${_pkgname}_${pkgver}_src_all.tar.bz2
+        CVE-2016-9296.patch
         libre.patch)
 mksha256sums=('5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f')
 sha256sums=('486e5784de9284c7123b401b3f27e684af772d03fc1fb8cdbbefb8123dc9f841'
+            'f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983'
             'feeeb3b1b7a827b7a675d6c8a363ea6c2499a4f04b3160c7e8d7bba42e0b3c15')
 
 mksource() {
@@ -45,6 +47,9 @@ mksource() {
 prepare() {
   cd "$srcdir/${pkgname}_$pkgver"
 
+  # https://sourceforge.net/p/p7zip/bugs/185/
+  patch -Np1 -i ../CVE-2016-9296.patch
+
   if [[ $CARCH = x86_64 ]]; then
     cp makefile.linux_amd64_asm makefile.machine
   elif [[ $CARCH = i686 ]]; then
-- 
cgit v1.2.3