From 93f9ef1a945d119568aeed695faf6719c8c72028 Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Tue, 5 Apr 2022 12:22:17 +0200
Subject: [PATCH] Security fixes for CVE-2022-0496 and CVE-2022-0497

---
 CVE-2022-0496.patch | 74 +++++++++++++++++++++++++++++++++++++++++++++
 CVE-2022-0497.patch | 27 +++++++++++++++++
 openscad.spec       | 11 +++++--
 3 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2022-0496.patch
 create mode 100644 CVE-2022-0497.patch

diff --git a/CVE-2022-0496.patch b/CVE-2022-0496.patch
new file mode 100644
index 0000000..c0ce898
--- /dev/null
+++ b/CVE-2022-0496.patch
@@ -0,0 +1,74 @@
+From 770e3234cbfe66edbc0333f796b46d36a74aa652 Mon Sep 17 00:00:00 2001
+From: ChrisCoxArt <ccox@comcast.net>
+Date: Sat, 15 Jan 2022 19:40:09 -0800
+Subject: [PATCH] add safety to line lookups in DXF import, fixes #4037
+
+Add safety (test for, and continue past, bad indices).
+Report warnings about bad indices
+Add variables just to make the array indices easier to read and debug.
+---
+ src/dxfdata.cc | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/src/dxfdata.cc b/src/dxfdata.cc
+index 2bb7236746..aa6b6f3976 100644
+--- a/src/dxfdata.cc
++++ b/src/dxfdata.cc
+@@ -441,6 +441,11 @@ DxfData::DxfData(double fn, double fs, double fa,
+ 				auto lv = grid.data(this->points[lines[idx].idx[j]][0], this->points[lines[idx].idx[j]][1]);
+ 				for (size_t ki = 0; ki < lv.size(); ++ki) {
+ 					int k = lv.at(ki);
++                    if (k < 0 || k >= lines.size()) {
++                        LOG(message_group::Warning,Location::NONE,"",
++                            "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
++                        continue;
++                    }
+ 					if (k == idx || lines[k].disabled) continue;
+ 					goto next_open_path_j;
+ 				}
+@@ -466,13 +471,20 @@ DxfData::DxfData(double fn, double fs, double fa,
+ 			auto lv = grid.data(ref_point[0], ref_point[1]);
+ 			for (size_t ki = 0; ki < lv.size(); ++ki) {
+ 				int k = lv.at(ki);
++                if (k < 0 || k >= lines.size()) {
++                    LOG(message_group::Warning,Location::NONE,"",
++                        "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
++                    continue;
++                }
+ 				if (lines[k].disabled) continue;
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
++                auto idk0 = lines[k].idx[0];    // make it easier to read and debug
++                auto idk1 = lines[k].idx[1];
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
+ 					current_line = k;
+ 					current_point = 0;
+ 					goto found_next_line_in_open_path;
+ 				}
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
+ 					current_line = k;
+ 					current_point = 1;
+ 					goto found_next_line_in_open_path;
+@@ -501,13 +513,20 @@ DxfData::DxfData(double fn, double fs, double fa,
+ 			auto lv = grid.data(ref_point[0], ref_point[1]);
+ 			for (size_t ki = 0; ki < lv.size(); ++ki) {
+ 				int k = lv.at(ki);
++                if (k < 0 || k >= lines.size()) {
++                    LOG(message_group::Warning,Location::NONE,"",
++                        "Bad DXF line index in %1$s.",QuotedString(boostfs_uncomplete(filename, fs::current_path()).generic_string()));
++                    continue;
++                }
+ 				if (lines[k].disabled) continue;
+-				if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[0]][0], this->points[lines[k].idx[0]][1])) {
++                auto idk0 = lines[k].idx[0];    // make it easier to read and debug
++                auto idk1 = lines[k].idx[1];
++				if (grid.eq(ref_point[0], ref_point[1], this->points[idk0][0], this->points[idk0][1])) {
+ 					current_line = k;
+ 					current_point = 0;
+ 					goto found_next_line_in_closed_path;
+ 				}
+-					if (grid.eq(ref_point[0], ref_point[1], this->points[lines[k].idx[1]][0], this->points[lines[k].idx[1]][1])) {
++                if (grid.eq(ref_point[0], ref_point[1], this->points[idk1][0], this->points[idk1][1])) {
+ 					current_line = k;
+ 					current_point = 1;
+ 					goto found_next_line_in_closed_path;
diff --git a/CVE-2022-0497.patch b/CVE-2022-0497.patch
new file mode 100644
index 0000000..fac3024
--- /dev/null
+++ b/CVE-2022-0497.patch
@@ -0,0 +1,27 @@
+From 84addf3c1efbd51d8ff424b7da276400bbfa1a4b Mon Sep 17 00:00:00 2001
+From: Torsten Paul <Torsten.Paul@gmx.de>
+Date: Sat, 5 Feb 2022 18:45:29 +0100
+Subject: [PATCH] CVE-2022-0497 Out-of-bounds memory access in comment parser.
+
+Public issue:
+https://github.com/openscad/openscad/issues/4043
+
+Fix in master branch:
+https://github.com/openscad/openscad/pull/4044
+---
+ src/comment.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/comment.cpp b/src/comment.cpp
+index f02ad2c5f6..1ce3ab547b 100644
+--- a/src/comment.cpp
++++ b/src/comment.cpp
+@@ -92,7 +92,7 @@ static std::string getComment(const std::string &fulltext, int line)
+ 	}
+ 
+ 	int end = start + 1;
+-	while (fulltext[end] != '\n') end++;
++	while (end < fulltext.size() && fulltext[end] != '\n') end++;
+ 
+ 	std::string comment = fulltext.substr(start, end - start);
+ 
diff --git a/openscad.spec b/openscad.spec
index 53199c8..0932f81 100644
--- a/openscad.spec
+++ b/openscad.spec
@@ -1,7 +1,7 @@
 Name:           openscad
 Version:        2021.01
 %global upversion %{version}
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        The Programmers Solid 3D CAD Modeller
 # COPYING contains a linking exception for CGAL
 # Appdata file is CC0
@@ -21,7 +21,10 @@ Patch1:         %{name}-cgal5.3.patch
 Patch2:         %{name}-2021.01-fix-overloaded-join.patch
 # https://github.com/openscad/openscad/commit/71f2831c0484c3f35cbf44e1d1dc2c857384100b
 Patch3:         %{name}-2021.01-cgal-build-fix.patch
-
+# https://github.com/openscad/openscad/commit/770e3234cbfe66edbc0333f796b46d36a74aa652
+Patch4:         CVE-2022-0496.patch
+# https://github.com/openscad/openscad/commit/84addf3c1efbd51d8ff424b7da276400bbfa1a4b
+Patch5:         CVE-2022-0497.patch
 
 BuildRequires:  CGAL-devel >= 3.6
 BuildRequires:  ImageMagick
@@ -224,6 +227,10 @@ cd -
 %{_datadir}/%{name}/libraries/MCAD/bitmap/*.scad
 
 %changelog
+* Tue Apr 05 2022 Lumír Balhar <lbalhar@redhat.com> - 2021.01-8
+- Security fixes for CVE-2022-0496 and CVE-2022-0497
+- Fixes: rhbz#2050696 rhbz#2050700
+
 * Fri Feb 11 2022 Tom Callaway <spot@fedoraproject.org> - 2021.01-7
 - apply upstream fix for build issue with overloaded join()
 - fix build against new CGAL 5.4