archivers/brotli, devel/libbrotli: fix buffer overflow

Obtained from:	upstream
Security:	1bcfd963-e483-41b8-ab8e-bad5c3ce49c9
MFH:		2016Q1

2 files changed, 25 insertions, 0 deletions

diff --git a/archivers/brotli/Makefile b/archivers/brotli/Makefile
index 3dbaa751725a..7db5ad954ac9 100644
--- a/archivers/brotli/Makefile
+++ b/archivers/brotli/Makefile
@@ -4,6 +4,7 @@
 PORTNAME=	brotli
 PORTVERSION=	0.3.0
 DISTVERSIONPREFIX=	v
+PORTREVISION=	1
 CATEGORIES=	archivers
 
 MAINTAINER=	sunpoet@FreeBSD.org
diff --git a/archivers/brotli/files/patch-CVE-2016-1624 b/archivers/brotli/files/patch-CVE-2016-1624
new file mode 100644
index 000000000000..781d1283e144
--- /dev/null
+++ b/archivers/brotli/files/patch-CVE-2016-1624
@@ -0,0 +1,24 @@
+From 37a320dd81db8d546cd24a45b4c61d87b45dcade Mon Sep 17 00:00:00 2001
+From: eustas <eustas.ru@gmail.com>
+Date: Thu, 4 Feb 2016 15:35:44 +0100
+Subject: [PATCH] Fix possible pointer underflow
+
+---
+ dec/decode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/dec/decode.c b/dec/decode.c
+index 920959c..892a254 100644
+--- dec/decode.c
++++ dec/decode.c
+@@ -1714,6 +1714,10 @@ static BROTLI_INLINE BrotliResult ProcessCommandsInternal(int safe,
+   } else {
+     const uint8_t *ringbuffer_end_minus_copy_length =
+         s->ringbuffer_end - i;
++    /* Check for possible underflow and clamp the pointer to 0. */
++    if (PREDICT_FALSE(s->ringbuffer_end < (const uint8_t*)0 + i)) {
++      ringbuffer_end_minus_copy_length = 0;
++    }
+     uint8_t* copy_src = &s->ringbuffer[
+         (pos - s->distance_code) & s->ringbuffer_mask];
+     uint8_t* copy_dst = &s->ringbuffer[pos];