From 525330b8530cad7680008100e5a3cea6a009f675 Mon Sep 17 00:00:00 2001
From: Nathan Owens <ndowens04@gmail.com>
Date: Sat, 28 Dec 2019 18:27:42 -0600
Subject: [PATCH] matio: CVE-2019-20020 patch

Signed-off-by: Nathan Owens <ndowens04@gmail.com>
---
 srcpkgs/matio/patches/CVE-2019-20020.patch | 45 ++++++++++++++++++++++
 srcpkgs/matio/template                     |  2 +-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/matio/patches/CVE-2019-20020.patch

diff --git a/srcpkgs/matio/patches/CVE-2019-20020.patch b/srcpkgs/matio/patches/CVE-2019-20020.patch
new file mode 100644
index 00000000000..f86cee5ec1a
--- /dev/null
+++ b/srcpkgs/matio/patches/CVE-2019-20020.patch
@@ -0,0 +1,45 @@
+From 8138e767bf6df7cccf1664f3a854e596628fdb2d Mon Sep 17 00:00:00 2001
+From: Nathan Owens <ndowens04@gmail.com>
+Date: Sat, 28 Dec 2019 18:25:58 -0600
+Subject: [PATCH] matio: CVE-2019-20020 patch
+
+Signed-off-by: Nathan Owens <ndowens04@gmail.com>
+---
+ src/mat5.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/mat5.c b/src/mat5.c
+index abdb351..776f233 100644
+--- src/mat5.c
++++ src/mat5.c
+@@ -980,10 +980,26 @@ ReadNextCell( mat_t *mat, matvar_t *matvar )
+                 /* Rank and Dimension */
+                 if ( uncomp_buf[0] == MAT_T_INT32 ) {
+                     int j;
++                    size_t size;
+                     cells[i]->rank = uncomp_buf[1];
+                     nbytes -= cells[i]->rank;
+                     cells[i]->rank /= 4;
+-                    cells[i]->dims = (size_t*)malloc(cells[i]->rank*sizeof(*cells[i]->dims));
++                    if ( 0 == do_clean && cells[i]->rank > 13 ) {
++                        int rank = cells[i]->rank;
++                        cells[i]->rank = 0;
++                        Mat_Critical("%d is not a valid rank", rank);
++                        continue;
++                    }
++                    err = SafeMul(&size, cells[i]->rank, sizeof(*cells[i]->dims));
++                    if ( err ) {
++                        if ( do_clean )
++                            free(dims);
++                        Mat_VarFree(cells[i]);
++                        cells[i] = NULL;
++                        Mat_Critical("Integer multiplication overflow");
++                        continue;
++                    }
++                    cells[i]->dims = (size_t*)malloc(size);
+                     if ( mat->byteswap ) {
+                         for ( j = 0; j < cells[i]->rank; j++ )
+                             cells[i]->dims[j] = Mat_uint32Swap(dims + j);
+-- 
+2.24.1
+
diff --git a/srcpkgs/matio/template b/srcpkgs/matio/template
index 9bd663e26b2..63d059701b6 100644
--- a/srcpkgs/matio/template
+++ b/srcpkgs/matio/template
@@ -1,7 +1,7 @@
 # Template file for 'matio'
 pkgname=matio
 version=1.5.17
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--disable-static"
 hostmakedepends="libtool"