From ecd70b66ba113b4a0a21a783a46c1a5f61177fa5 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Tue, 29 Aug 2023 09:53:21 +0800
Subject: [PATCH] Fix CVE-2023-40305

---
 ...a-heap-buffer-overwrite-CVE-2023-40305.patch | 15 +++++++++++++++
 fix-an-out-of-buffer-read-CVE-2023-40305.patch  | 17 +++++++++++++++++
 indent.spec                                     |  7 ++++++-
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 fix-a-heap-buffer-overwrite-CVE-2023-40305.patch
 create mode 100644 fix-an-out-of-buffer-read-CVE-2023-40305.patch

diff --git a/fix-a-heap-buffer-overwrite-CVE-2023-40305.patch b/fix-a-heap-buffer-overwrite-CVE-2023-40305.patch
new file mode 100644
index 0000000..1349237
--- /dev/null
+++ b/fix-a-heap-buffer-overwrite-CVE-2023-40305.patch
@@ -0,0 +1,15 @@
+From: Petr Písař <ppisar@redhat.com>
+Subject: Fix a heap buffer overwrite in search_brace() (CVE-2023-40305)
+Bug-Debian: https://bugs.debian.org/1049366
+Forwarded: https://savannah.gnu.org/bugs/index.php?64503
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -228,6 +228,7 @@
+                  * a `dump_line' call, thus ensuring that the brace
+                  * will go into the right column. */
+ 
++                need_chars (&save_com, 2);
+                 *save_com.end++ = EOL;
+                 *save_com.end++ = '{';
+                 save_com.len += 2;
diff --git a/fix-an-out-of-buffer-read-CVE-2023-40305.patch b/fix-an-out-of-buffer-read-CVE-2023-40305.patch
new file mode 100644
index 0000000..404e40f
--- /dev/null
+++ b/fix-an-out-of-buffer-read-CVE-2023-40305.patch
@@ -0,0 +1,17 @@
+From: Petr Písař <ppisar@redhat.com>
+Subject: Fix an out-of-buffer read in search_brace()/lexi()
+Bug-Debian: https://bugs.debian.org/1049366
+Forwarded: https://savannah.gnu.org/bugs/index.php?64503
+
+--- a/src/indent.c
++++ b/src/indent.c
+@@ -145,8 +145,8 @@
+     parser_state_tos->search_brace = false;
+     bp_save = buf_ptr;
+     be_save = buf_end;
+-    buf_ptr = save_com.ptr;
+     need_chars (&save_com, 1);
++    buf_ptr = save_com.ptr;
+     buf_end = save_com.end;
+     save_com.end = save_com.ptr;        /* make save_com empty */
+ }
diff --git a/indent.spec b/indent.spec
index 1556c83..9167eef 100644
--- a/indent.spec
+++ b/indent.spec
@@ -2,7 +2,7 @@
 Name: indent
 Summary: A tool to make code easier to read
 Version: 2.2.11
-Release: 28
+Release: 29
 License: GPLv3+
 URL: http://www.gnu.org/software/%{name}/
 Source: http://ftp.gnu.org/gnu/indent/%{name}-%{version}.tar.gz
@@ -18,6 +18,8 @@ Patch13: indent-2.2.11-Support-hexadecimal-floats.patch
 Patch14: indent-2.2.11-Modernize-texi2html-arguments.patch
 Patch15: indent-2.2.11-doc-Correct-a-typo-about-enabling-control-comment.patch
 Patch16: indent-2.2.11-Fix-nbdfa-and-nbdfe-typo.patch
+Patch17: fix-an-out-of-buffer-read-CVE-2023-40305.patch
+Patch18: fix-a-heap-buffer-overwrite-CVE-2023-40305.patch
 
 BuildRequires:  gettext-devel automake gcc autoconf
 BuildRequires:  make coreutils gperf texinfo texi2html
@@ -61,6 +63,9 @@ make -C regression
 %exclude %{_infodir}/dir
 
 %changelog
+* Tue Aug 29 2023 wangkai <13474090681@163.com> - 2.2.11-29
+- Fix CVE-2023-40305
+
 * Thu Sep 10 2020 baizhonggui<baizhonggui@huawei.com> - 2.2.11-28
 - fix source0