termux-packages/packages/ncurses/CVE-2022-29458.patch

--- ncurses-6.3-20220409+/ncurses/tinfo/read_entry.c	2021-06-26 19:43:17.000000000 +0000
+++ ncurses-6.3-20220416/ncurses/tinfo/read_entry.c	2022-04-16 21:00:00.000000000 +0000
@@ -1,5 +1,5 @@
 /****************************************************************************
- * Copyright 2018-2020,2021 Thomas E. Dickey                                *
+ * Copyright 2018-2021,2022 Thomas E. Dickey                                *
  * Copyright 1998-2016,2017 Free Software Foundation, Inc.                  *
  *                                                                          *
  * Permission is hereby granted, free of charge, to any person obtaining a  *
@@ -42,7 +42,7 @@
 
 #include <tic.h>
 
-MODULE_ID("$Id: read_entry.c,v 1.161 2021/06/26 19:43:17 tom Exp $")
+MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
 
 #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
 
@@ -145,6 +145,7 @@
 {
     int i;
     char *p;
+    bool corrupt = FALSE;
 
     for (i = 0; i < count; i++) {
 	if (IS_NEG1(buf + 2 * i)) {
@@ -154,8 +155,20 @@
 	} else if (MyNumber(buf + 2 * i) > size) {
 	    Strings[i] = ABSENT_STRING;
 	} else {
-	    Strings[i] = (MyNumber(buf + 2 * i) + table);
-	    TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
+	    int nn = MyNumber(buf + 2 * i);
+	    if (nn >= 0 && nn < size) {
+		Strings[i] = (nn + table);
+		TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
+				    _nc_visbuf(Strings[i])));
+	    } else {
+		if (!corrupt) {
+		    corrupt = TRUE;
+		    TR(TRACE_DATABASE,
+		       ("ignore out-of-range index %d to Strings[]", nn));
+		    _nc_warning("corrupt data found in convert_strings");
+		}
+		Strings[i] = ABSENT_STRING;
+	    }
 	}
 
 	/* make sure all strings are NUL terminated */