From 41f0dac71d81fd66292742d1ca477c039fd006e9 Mon Sep 17 00:00:00 2001
From: hanchao <hanchao47@huawei.com>
Date: Tue, 8 Feb 2022 10:47:44 +0800
Subject: [PATCH] fix CVE-2021-39293

Signed-off-by: hanchao <hanchao47@huawei.com>
---
 ...o1.17-archive-zip-prevent-preallocat.patch | 80 +++++++++++++++++++
 golang.spec                                   |  6 +-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 0039-release-branch.go1.17-archive-zip-prevent-preallocat.patch

diff --git a/0039-release-branch.go1.17-archive-zip-prevent-preallocat.patch b/0039-release-branch.go1.17-archive-zip-prevent-preallocat.patch
new file mode 100644
index 0000000..4ca79c7
--- /dev/null
+++ b/0039-release-branch.go1.17-archive-zip-prevent-preallocat.patch
@@ -0,0 +1,80 @@
+From a281278476947f2b33d67056e2a2bbc70eb97e50 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 7 Feb 2022 11:25:02 +0800
+Subject: [Backport] [release-branch.go1.17] archive/zip: prevent preallocation
+ check from overflowing
+
+If the indicated directory size in the archive header is so large that
+subtracting it from the archive size overflows a uint64, the check that
+the indicated number of files in the archive can be effectively
+bypassed. Prevent this from happening by checking that the indicated
+directory size is less than the size of the archive.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to
+Emmanuel Odeke for reporting it.
+
+Fixes #47986
+Updates #47801
+Fixes CVE-2021-39293
+
+Change-Id: Ifade26b98a40f3b37398ca86bd5252d12394dd24
+Reviewed-on: https://go-review.googlesource.com/c/go/+/343434
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Russ Cox <rsc@golang.org>
+(cherry picked from commit bacbc33439b124ffd7392c91a5f5d96eca8c0c0b)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/345410
+Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
+Run-TryBot: Emmanuel Odeke <emmanuel@orijtech.com>
+Trust: Cherry Mui <cherryyz@google.com>
+
+Reference:https://go-review.googlesource.com/c/go/+/345410
+Conflict:NA
+---
+ src/archive/zip/reader.go      |  2 +-
+ src/archive/zip/reader_test.go | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
+index 2d5151a..a695773 100644
+--- a/src/archive/zip/reader.go
++++ b/src/archive/zip/reader.go
+@@ -90,7 +90,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
+ 	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
+ 	// header which will be _at least_ 30 bytes we can safely preallocate
+ 	// if (data size / 30) >= end.directoryRecords.
+-	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
++	if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+ 		z.File = make([]*File, 0, end.directoryRecords)
+ 	}
+ 	z.Comment = end.comment
+diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
+index 79e570f..24b779e 100644
+--- a/src/archive/zip/reader_test.go
++++ b/src/archive/zip/reader_test.go
+@@ -1113,3 +1113,21 @@ func TestCVE202133196(t *testing.T) {
+ 		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
+ 	}
+ }
++
++func TestCVE202139293(t *testing.T) {
++	// directory size is so large, that the check in Reader.init
++	// overflows when subtracting from the archive size, causing
++	// the pre-allocation check to be bypassed.
++	data := []byte{
++		0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
++		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
++		0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
++		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
++		0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
++		0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
++	}
++	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
++	if err != ErrFormat {
++		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
++	}
++}
+-- 
+2.30.0
+
diff --git a/golang.spec b/golang.spec
index 8f2fbcd..e377064 100644
--- a/golang.spec
+++ b/golang.spec
@@ -62,7 +62,7 @@
 
 Name:           golang
 Version:        1.13.15
-Release:        8
+Release:        9
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -177,6 +177,7 @@ Patch6035:       0035-release-branch.go1.16-misc-wasm-cmd-link-do-not-let-.patch
 Patch6036:       0036-net-http-httputil-close-incoming-ReverseProxy-reques.patch
 Patch6037:       0037-release-branch.go1.16-debug-macho-fail-on-invalid-dy.patch
 Patch6038:       0038-release-branch.go1.16-net-http-update-bundled-golang.patch
+Patch6039:       0039-release-branch.go1.17-archive-zip-prevent-preallocat.patch
 
 ExclusiveArch:  %{golang_arches}
 
@@ -410,6 +411,9 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Tue Feb 8 2022 hanchao<hanchao47@huawei.com> - 1.13.15-9
+- fix CVE-2021-39293
+
 * Wed Jan 19 2022 hanchao<hanchao47@huawei.com> - 1.13.15-8
 - fix CVE-2021-44716
 
-- 
Gitee