From 8ff4e424ccb9c2ba5a6ab627411709b57308be93 Mon Sep 17 00:00:00 2001
From: lkx690 <likexin4@huawei.com>
Date: Tue, 17 Mar 2020 10:23:23 +0800
Subject: [PATCH] fix up CVE-2016-4074

---
 CVE-2016-4074.patch | 40 ++++++++++++++++++++++++++++++++++++++++
 jq.spec             |  6 +++++-
 2 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2016-4074.patch

diff --git a/CVE-2016-4074.patch b/CVE-2016-4074.patch
new file mode 100644
index 0000000..d736954
--- /dev/null
+++ b/CVE-2016-4074.patch
@@ -0,0 +1,40 @@
+From 83e2cf607f3599d208b6b3129092fa7deb2e5292 Mon Sep 17 00:00:00 2001
+From: W-Mark Kubacki <wmark@hurrikane.de>
+Date: Fri, 19 Aug 2016 19:50:39 +0200
+Subject: [PATCH] Skip printing what's below a MAX_PRINT_DEPTH
+
+This addresses #1136, and mitigates a stack exhaustion when printing
+a very deeply nested term.
+---
+ src/jv_print.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv_print.c b/src/jv_print.c
+index 5f4f234..ce4a59a 100644
+--- a/src/jv_print.c
++++ b/src/jv_print.c
+@@ -13,6 +13,10 @@
+ #include "jv_dtoa.h"
+ #include "jv_unicode.h"
+ 
++#ifndef MAX_PRINT_DEPTH
++#define MAX_PRINT_DEPTH (256)
++#endif
++
+ #define ESC "\033"
+ #define COL(c) (ESC "[" c "m")
+ #define COLRESET (ESC "[0m")
+@@ -150,7 +154,9 @@ static void jv_dump_term(struct dtoa_context* C, jv x, int flags, int indent, FI
+       }
+     }
+   }
+-  switch (jv_get_kind(x)) {
++  if (indent > MAX_PRINT_DEPTH) {
++    put_str("<skipped: too deep>", F, S, flags & JV_PRINT_ISATTY);
++  } else switch (jv_get_kind(x)) {
+   default:
+   case JV_KIND_INVALID:
+     if (flags & JV_PRINT_INVALID) {
+-- 
+1.8.3.1
+
diff --git a/jq.spec b/jq.spec
index b4c8bac..82c8fa7 100644
--- a/jq.spec
+++ b/jq.spec
@@ -1,11 +1,12 @@
 Name:           jq
 Version:        1.5
-Release:        15
+Release:        16
 Summary:        A lightweight and flexible command-line JSON processor
 License:        MIT and ASL 2.0 and CC-BY and GPLv3
 URL:            http://stedolan.github.io/jq/
 Source0:        https://github.com/stedolan/jq/releases/download/jq-%{version}/jq-%{version}.tar.gz
 Patch0:         CVE-2015-8863.patch
+Patch1:         CVE-2016-4074.patch
 BuildRequires:  flex bison valgrind
 
 %description
@@ -68,6 +69,9 @@ make check
 
 
 %changelog
+* Tue Mar 17 2020 likexin <likexin4@huawei.com> -1.5-16
+- fix up cve-2016-4074
+
 * Wed Jan 15 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.5-15
 - Delete unndeeded build requires
 
-- 
Gitee