!25 Fix a clang analyzer 14 warning about a possible NULL deref.

From: @meng-wenhua 
Reviewed-by: @Charlie_li 
Signed-off-by: @Charlie_li

CVE-2022-33070.patch

@@ -0,0 +1,73 @@
+diff -Naru "protobuf-c-1.4.0 copy/protobuf-c/protobuf-c.c" protobuf-c-1.4.0/protobuf-c/protobuf-c.c
+--- "protobuf-c-1.4.0 copy/protobuf-c/protobuf-c.c"	2022-07-04 11:35:58.920205000 +0800
++++ protobuf-c-1.4.0/protobuf-c/protobuf-c.c	2022-07-04 11:41:59.158278000 +0800
+@@ -316,9 +316,8 @@
+ static inline uint32_t
+ zigzag32(int32_t v)
+ {
+-	// Note:  the right-shift must be arithmetic
+-	// Note:  left shift must be unsigned because of overflow
+-	return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31);
++	// Note:  Using unsigned types prevents undefined behavior
++	return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31);
+ }
+ 
+ /**
+@@ -380,9 +379,8 @@
+ static inline uint64_t
+ zigzag64(int64_t v)
+ {
+-	// Note:  the right-shift must be arithmetic
+-	// Note:  left shift must be unsigned because of overflow
+-	return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63);
++	// Note:  Using unsigned types prevents undefined behavior
++	return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63);
+ }
+ 
+ /**
+@@ -802,7 +800,8 @@
+ }
+ 
+ /**
+- * Pack a signed 32-bit integer and return the number of bytes written.
++ * Pack a signed 32-bit integer and return the number of bytes written,
++ * passed as unsigned to avoid implementation-specific behavior.
+  * Negative numbers are encoded as two's complement 64-bit integers.
+  *
+  * \param value
+@@ -813,14 +812,14 @@
+  *      Number of bytes written to `out`.
+  */
+ static inline size_t
+-int32_pack(int32_t value, uint8_t *out)
++int32_pack(uint32_t value, uint8_t *out)
+ {
+-	if (value < 0) {
++	if ((int32_t)value < 0) {
+ 		out[0] = value | 0x80;
+ 		out[1] = (value >> 7) | 0x80;
+ 		out[2] = (value >> 14) | 0x80;
+ 		out[3] = (value >> 21) | 0x80;
+-		out[4] = (value >> 28) | 0x80;
++		out[4] = (value >> 28) | 0xf0;
+ 		out[5] = out[6] = out[7] = out[8] = 0xff;
+ 		out[9] = 0x01;
+ 		return 10;
+@@ -2425,7 +2424,7 @@
+ unzigzag32(uint32_t v)
+ {
+ 	// Note:  Using unsigned types prevents undefined behavior
+-	return (int32_t)((v >> 1) ^ (~(v & 1) + 1));
++	return (int32_t)((v >> 1) ^ -(v & 1));
+ }
+ 
+ static inline uint32_t
+@@ -2467,7 +2466,7 @@
+ unzigzag64(uint64_t v)
+ {
+ 	// Note:  Using unsigned types prevents undefined behavior
+-	return (int64_t)((v >> 1) ^ (~(v & 1) + 1));
++	return (int64_t)((v >> 1) ^ -(v & 1));
+ }
+ 
+ static inline uint64_t

backport-0001-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch

@@ -0,0 +1,28 @@
+From ab5f76a52bade28a2c025bd52c7847f033ca82f3 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 29 Jun 2022 11:18:16 -0600
+Subject: [PATCH] Fix a clang analyzer 14 warning about a possible NULL deref.
+
+[edmonds: Import commit from
+https://github.com/sudo-project/sudo/commit/bfc6249902d842626058e74074832930feaf2f80.patch.]
+---
+ protobuf-c/protobuf-c.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/protobuf-c/protobuf-c.c b/protobuf-c/protobuf-c.c
+index 448f3e8..ad3ab12 100644
+--- a/protobuf-c/protobuf-c.c
++++ b/protobuf-c/protobuf-c.c
+@@ -3231,6 +3231,9 @@ protobuf_c_message_unpack(const ProtobufCMessageDescriptor *desc,
+ 	/* allocate space for repeated fields, also check that all required fields have been set */
+ 	for (f = 0; f < desc->n_fields; f++) {
+ 		const ProtobufCFieldDescriptor *field = desc->fields + f;
++		if (field == NULL) {
++			continue;
++		}
+ 		if (field->label == PROTOBUF_C_LABEL_REPEATED) {
+ 			size_t siz =
+ 			    sizeof_elt_in_repeated_array(field->type);
+-- 
+2.37.3.windows.1
+

backport-0001-Fix-issue-499-unsigned-integer-overflow.patch

@@ -0,0 +1,35 @@
+From 289f5c18b195aa43d46a619d1188709abbfa9c82 Mon Sep 17 00:00:00 2001
+From: 10054172 <hui.zhang@thalesgroup.com>
+Date: Fri, 18 Mar 2022 12:42:57 -0400
+Subject: [PATCH 1/2] Fix issue #499: unsigned integer overflow
+
+Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
+---
+ protobuf-c/protobuf-c.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/protobuf-c/protobuf-c.c b/protobuf-c/protobuf-c.c
+index 98052cd..ec2d40a 100644
+--- a/protobuf-c/protobuf-c.c
++++ b/protobuf-c/protobuf-c.c
+@@ -2603,10 +2603,13 @@ parse_required_member(ScannedMember *scanned_member,
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+-						 allocator,
+-						 len - pref_len,
+-						 data + pref_len);
++		if (len > pref_len)
++			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++							 allocator,
++							 len - pref_len,
++							 data + pref_len);
++		else
++			subm = NULL;
+ 
+ 		if (maybe_clear &&
+ 		    *pmessage != NULL &&
+-- 
+2.37.3.windows.1
+

backport-0002-Fix-regression-with-zero-length-messages-introduced-.patch

@@ -0,0 +1,28 @@
+From 0d1fd124a4e0a07b524989f6e64410ff648fba61 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 9 Jun 2022 07:34:55 -0600
+Subject: [PATCH 2/2] Fix regression with zero-length messages introduced in
+ protobuf-c PR 500.
+
+[edmonds: Import bugfix from
+https://github.com/sudo-project/sudo/commit/b6a6451482a3ff5e30f43ef888159d4b0d39143b.patch.]
+---
+ protobuf-c/protobuf-c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/protobuf-c/protobuf-c.c b/protobuf-c/protobuf-c.c
+index ec2d40a..448f3e8 100644
+--- a/protobuf-c/protobuf-c.c
++++ b/protobuf-c/protobuf-c.c
+@@ -2603,7 +2603,7 @@ parse_required_member(ScannedMember *scanned_member,
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		if (len > pref_len)
++		if (len >= pref_len)
+ 			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+ 							 allocator,
+ 							 len - pref_len,
+-- 
+2.37.3.windows.1
+

protobuf-c.spec

@@ -1,14 +1,20 @@
 Name:           protobuf-c
-Version:        1.3.2
-Release:        2
+Version:        1.4.0
+Release:        4
 Summary:        This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format
 License:        BSD
 URL:            https://github.com/protobuf-c/protobuf-c
-Source0:        https://github.com/protobuf-c/protobuf-c/archive/v%{version}.tar.gz 
+Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
+#https://github.com/protobuf-c/protobuf-c/pull/508/files
+Patch0001:      CVE-2022-33070.patch
 BuildRequires:  autoconf automake libtool gcc-c++ pkgconfig(protobuf)
 Provides:       %{name}-compiler = %{version}-%{release}
 Obsoletes:      %{name}-compiler < %{version}-%{release}
 
+Patch6000:      backport-0001-Fix-issue-499-unsigned-integer-overflow.patch
+Patch6001:      backport-0002-Fix-regression-with-zero-length-messages-introduced-.patch
+Patch6002:      backport-0001-Fix-a-clang-analyzer-14-warning-about-a-possible-NUL.patch
+
 %description
 This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format.
 
@@ -35,10 +41,7 @@ make check
 %make_install
 %delete_la
 
-%post
-/sbin/ldconfig
-%postun
-/sbin/ldconfig
+%ldconfig_scriptlets
 
 %files
 %doc TODO LICENSE ChangeLog
@@ -51,5 +54,23 @@ make check
 %{_libdir}/{libprotobuf-c.so,pkgconfig/libprotobuf-c.pc}
 
 %changelog
+* Sat Jan 7 2023 mengwenhua <mengwenhua@xfusion.com> - 1.4.0-4
+- Fix a clang analyzer 14 warning about a possible NULL deref.
+
+* Sat Jan 7 2023 mengwenhua<mengwenhua@xfusion.com> - 1.4.0-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix unsigned integer overflow
+
+* Mon Jul 4 2022 dengyuyu <yuyu.deng@epro.com.cn> - 1.4.0-2
+- fix CVE-2022-33070
+
+* Thu Dec 02 2021 wujing <wujing50@huawei.com> - 1.4.0-1
+Type:upgrade
+ID:NA
+SUG:NA
+DESC: upgrade to 1.4.0-1
+
 * Fri Feb 14 2020 Senlin Xia <xiasenlin1@huawei.com> - 1.3.2-2
 - Package init

protobuf-c.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: protobuf-c/protobuf-c
+tag_prefix: "^v"
+seperator: "."