Fix two Null Pointer Dereferences, thanks to NSFOCUS Security Team

0001-fix-data-null-pointer.patch

@@ -0,0 +1,14 @@
+diff --git a/CPP/7zip/Archive/LzhHandler.cpp b/CPP/7zip/Archive/LzhHandler.cpp
+index 21631f7..1f14621 100644
+--- a/CPP/7zip/Archive/LzhHandler.cpp
++++ b/CPP/7zip/Archive/LzhHandler.cpp
+@@ -163,7 +163,8 @@ struct CItem
+       return false;
+     }
+     const Byte *data = (const Byte *)(Extensions[index].Data);
+-    value = GetUi32(data);
++    if (!data) value = 0;
++    else value = GetUi32(data);
+     return true;
+   }
+

0001-fix-out-of-mem.patch

@@ -0,0 +1,26 @@
+diff --git a/C/Alloc.c b/C/Alloc.c
+index 2706ec0..3178e7a 100644
+--- a/C/Alloc.c
++++ b/C/Alloc.c
+@@ -58,12 +58,18 @@ void align_free(void * ptr)
+ #else
+ void *align_alloc(size_t size)
+ {
+-    return malloc(size);
++    void * p = malloc(size);
++    if(!p){
++        printf("Out of memory: can't allocate %u bytes\n",size);
++	abort();
++    }
++    return p;
+ }
+ 
+ void align_free(void * ptr)
+ {
+-  free(ptr);
++   if(!ptr) return;
++   free(ptr);
+ }
+ 
+ #endif
+

p7zip.spec

@@ -7,7 +7,7 @@
 Summary: Very high compression ratio file archiver
 Name: p7zip
 Version: 16.02
-Release: 19%{?dist}
+Release: 20%{?dist}
 # Files under C/Compress/Lzma/ are dual LGPL or CPL
 License: LGPLv2 and (LGPLv2+ or CPL)
 URL: http://p7zip.sourceforge.net/
@@ -29,6 +29,8 @@ Patch7: 05-hardening-flags.patch
 Patch10: CVE-2017-17969.patch
 Patch11: 14-Fix-g++-warning.patch
 Patch12: gcc10-conversion.patch
+Patch13: 0001-fix-data-null-pointer.patch
+Patch14: 0001-fix-out-of-mem.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -174,6 +176,9 @@ make test
 
 
 %changelog
+* Thu Apr 22 2021 Sérgio Basto <sergio@serjux.com> - 16.02-20
+- Fix two Null Pointer Dereferences, thanks to NSFOCUS Security Team
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 16.02-19
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild