bctoolbox: bctoolbox: fix use-after-free

srcpkgs/bctoolbox/patches/map-use-after-free.patch

@@ -0,0 +1,24 @@
+bctbx_iterator_ullong_get_next always return its input
+return a newly allocated memory buffer instead.
+changes modeled after bctbx_map_begin_type<T>
+Index: bctoolbox-5.1.17/src/containers/map.cc
+===================================================================
+--- bctoolbox-5.1.17.orig/src/containers/map.cc
++++ bctoolbox-5.1.17/src/containers/map.cc
+@@ -229,12 +229,16 @@ extern "C" bctbx_iterator_t *bctbx_itera
+ 	return bctbx_iterator_get_next_type<mmap_cchar_t>(it);
+ }
+ extern "C" bctbx_iterator_t *bctbx_iterator_ullong_get_next_and_delete(bctbx_iterator_t *it) {
++	typedef mmap_ullong_t::iterator iterator;
+ 	bctbx_iterator_t * next = bctbx_iterator_ullong_get_next(it);
++	next = (bctbx_iterator_t *)(new iterator(*((iterator *)(next))));
+ 	bctbx_iterator_ullong_delete(it);
+ 	return next;
+ }
+ extern "C" bctbx_iterator_t *bctbx_iterator_cchar_get_next_and_delete(bctbx_iterator_t *it) {
++	typedef mmap_cchar_t::iterator iterator;
+ 	bctbx_iterator_t * next = bctbx_iterator_cchar_get_next(it);
++	next = (bctbx_iterator_t *)(new iterator(*((iterator *)(next))));
+ 	bctbx_iterator_cchar_delete(it);
+ 	return next;
+ }

srcpkgs/bctoolbox/patches/use-after-realloc.patch

@@ -0,0 +1,29 @@
+Index: bctoolbox-5.1.17/src/utils/port.c
+===================================================================
+--- bctoolbox-5.1.17.orig/src/utils/port.c
++++ bctoolbox-5.1.17/src/utils/port.c
+@@ -398,6 +398,7 @@ char * WSAAPI gai_strerror(int errnum){
+ #include <netdb.h>
+ #include <sys/un.h>
+ #include <sys/stat.h>
++#include <stddef.h>
+ 
+ static char *make_pipe_name(const char *name){
+ 	return bctbx_strdup_printf("/tmp/%s",name);
+@@ -1508,6 +1509,7 @@ char * bctbx_concat(const char *str, ...
+ 			/* Resize the allocated memory if necessary.  */
+ 			if (wp + len + 1 > result + allocated)
+ 			{
++				ptrdiff_t offset = wp - result;
+ 				allocated = (allocated + len) * 2;
+ 				newp = (char *) realloc (result, allocated);
+ 				if (newp == NULL)
+@@ -1515,7 +1517,7 @@ char * bctbx_concat(const char *str, ...
+ 					free (result);
+ 					return NULL;
+ 				}
+-				wp = newp + (wp - result);
++				wp = newp + offset;
+ 				result = newp;
+ 			}
+ 			memcpy (wp, s, len);

srcpkgs/bctoolbox/template

@@ -1,7 +1,7 @@
 # Template file for 'bctoolbox'
 pkgname=bctoolbox
 version=5.1.17
-revision=1
+revision=2
 build_style=cmake
 configure_args="-DENABLE_TESTS=ON -DENABLE_TESTS_COMPONENT=FALSE
  -DCMAKE_MODULE_PATH=/usr/lib/cmake"