From f72d6d2a93fe85fe91f6f3c831142fdb7b615409 Mon Sep 17 00:00:00 2001
From: liyuxiang <liyuxiang@ncti-gba.cn>
Date: Wed, 9 Nov 2022 06:48:10 +0800
Subject: [PATCH] CVE-2022-40284

(cherry picked from commit 5761138b7de6dca79bcbe8c2e6b989d260e3ab0b)
---
 CVE-2022-40284_1.patch | 46 ++++++++++++++++++++++++++++++++++++++++++
 CVE-2022-40284_2.patch | 37 +++++++++++++++++++++++++++++++++
 ntfs-3g.spec           |  7 ++++++-
 3 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-40284_1.patch
 create mode 100644 CVE-2022-40284_2.patch

diff --git a/CVE-2022-40284_1.patch b/CVE-2022-40284_1.patch
new file mode 100644
index 0000000..0ae5271
--- /dev/null
+++ b/CVE-2022-40284_1.patch
@@ -0,0 +1,46 @@
+From 18bfc676119a1188e8135287b8327b0760ba44a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
+Date: Wed, 14 Sep 2022 08:29:58 +0200
+Subject: [PATCH] Rejected zero-sized runs
+
+A zero-size run is the universal way to indentify the end of a runlist,
+so we must reject zero-sized runs when decompressing a runlist. A
+zero-size data run is an error, and a zero-size hole is simply ignored.
+---
+ libntfs-3g/runlist.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/libntfs-3g/runlist.c b/libntfs-3g/runlist.c
+index c83c2b7d..720bdce6 100644
+--- a/libntfs-3g/runlist.c
++++ b/libntfs-3g/runlist.c
+@@ -5,7 +5,7 @@
+  * Copyright (c) 2002-2005 Richard Russon
+  * Copyright (c) 2002-2008 Szabolcs Szakacsits
+  * Copyright (c) 2004 Yura Pakhuchiy
+- * Copyright (c) 2007-2010 Jean-Pierre Andre
++ * Copyright (c) 2007-2022 Jean-Pierre Andre
+  *
+  * This program/include file is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as published
+@@ -918,11 +918,18 @@ static runlist_element *ntfs_mapping_pairs_decompress_i(const ntfs_volume *vol,
+ 						"array.\n");
+ 				goto err_out;
+ 			}
++			/* chkdsk accepts zero-sized runs only for holes */
++			if ((lcn != (LCN)-1) && !rl[rlpos].length) {
++				ntfs_log_debug(
++					"Invalid zero-sized data run.\n");
++				goto err_out;
++			}
+ 			/* Enter the current lcn into the runlist element. */
+ 			rl[rlpos].lcn = lcn;
+ 		}
+-		/* Get to the next runlist element. */
+-		rlpos++;
++		/* Get to the next runlist element, skipping zero-sized holes */
++		if (rl[rlpos].length)
++			rlpos++;
+ 		/* Increment the buffer position to the next mapping pair. */
+ 		buf += (*buf & 0xf) + ((*buf >> 4) & 0xf) + 1;
+ 	}
diff --git a/CVE-2022-40284_2.patch b/CVE-2022-40284_2.patch
new file mode 100644
index 0000000..20b93a1
--- /dev/null
+++ b/CVE-2022-40284_2.patch
@@ -0,0 +1,37 @@
+From 76c3a799a97fbcedeeeca57f598be508ae2a1656 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
+Date: Wed, 14 Sep 2022 08:31:31 +0200
+Subject: [PATCH] Avoided merging runlists with no runs
+
+Runlists with no runs are tolerated though not expected. However merging
+such runlists is problematic as there is no significant vcn to examine.
+So avoid merging them, and just return the other runlist.
+---
+ libntfs-3g/runlist.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libntfs-3g/runlist.c b/libntfs-3g/runlist.c
+index 720bdce6..cb01e5a7 100644
+--- a/libntfs-3g/runlist.c
++++ b/libntfs-3g/runlist.c
+@@ -994,13 +994,18 @@ static runlist_element *ntfs_mapping_pairs_decompress_i(const ntfs_volume *vol,
+ 	rl[rlpos].vcn = vcn;
+ 	rl[rlpos].length = (s64)0;
+ 	/* If no existing runlist was specified, we are done. */
+-	if (!old_rl) {
++	if (!old_rl || !old_rl[0].length) {
+ 		ntfs_log_debug("Mapping pairs array successfully decompressed:\n");
+ 		ntfs_debug_runlist_dump(rl);
++		if (old_rl)
++			free(old_rl);
+ 		return rl;
+ 	}
+ 	/* Now combine the new and old runlists checking for overlaps. */
+-	old_rl = ntfs_runlists_merge(old_rl, rl);
++	if (rl[0].length)
++		old_rl = ntfs_runlists_merge(old_rl, rl);
++	else
++		free(rl);
+ 	if (old_rl)
+ 		return old_rl;
+ 	err = errno;
diff --git a/ntfs-3g.spec b/ntfs-3g.spec
index f9c1d7f..de134f8 100644
--- a/ntfs-3g.spec
+++ b/ntfs-3g.spec
@@ -1,6 +1,6 @@
 Name:          ntfs-3g
 Version:       2022.5.17
-Release:       1
+Release:       2
 Epoch:         2
 Summary:       Linux NTFS userspace driver
 License:       GPLv2+
@@ -8,6 +8,8 @@ URL:           http://www.ntfs-3g.org/
 Source0:       http://tuxera.com/opensource/%{name}_ntfsprogs-%{version}%{?subver}.tgz
 Patch0:        0000-ntfs-3g_ntfsprogs-2011.10.9-RC-ntfsck-unsupported-return-0.patch
 Patch1:        add-version-and-help-usage.patch
+Patch2:	       CVE-2022-40284_1.patch
+Patch3:        CVE-2022-40284_2.patch
 
 BuildRequires: libtool, libattr-devel, libconfig-devel, libgcrypt-devel, gnutls-devel, libuuid-devel
 Provides:      ntfsprogs-fuse = %{epoch}:%{version}-%{release}
@@ -89,6 +91,9 @@ rm -rf $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}/README
 %{_mandir}/man*/*
 
 %changelog
+* Thu Nov 10 2022 liyuxiang<liyuxiang@ncti-gba.cn> - 2:2022.5.17-2
+- fix CVE-2022-40284
+
 * Fri May 27 2022 wangkai <wangkai385@h-partners.com> - 2:2022.5.17-1
 - Upgrade to 2022.5.17 to fix the cves
 
-- 
Gitee