From 685f10cbfd1120c865ff7d3e4ce3923998fe2286 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik@redhat.com>
Date: Jan 16 2019 16:43:33 +0000
Subject: Reject invalid rbt file if header is corrupted


Resolves: rhbz#1666814

---

diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch
new file mode 100644
index 0000000..ea1df5d
--- /dev/null
+++ b/bind-9.11-rh1666814.patch
@@ -0,0 +1,37 @@
+From 3bb29f45604ac6890f4ea5cdcbd1a62e6dad14a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 16 Jan 2019 16:27:33 +0100
+Subject: [PATCH 2/2] Fix possible crash when loading corrupted file
+
+Some values passes internal triggers by coincidence. Fix the check and
+check also first_node_offset before even passing it further.
+---
+ lib/dns/rbt.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
+index 62d0826..b029b7d 100644
+--- a/lib/dns/rbt.c
++++ b/lib/dns/rbt.c
+@@ -787,7 +787,7 @@ treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
+ 		return (ISC_R_SUCCESS);
+ 
+ 	CONFIRM((void *) n >= base);
+-	CONFIRM((char *) n - (char *) base <= (int) nodemax);
++	CONFIRM((size_t)((char *) n - (char *) base) <= nodemax);
+ 	CONFIRM(DNS_RBTNODE_VALID(n));
+ 
+ 	dns_name_init(&nodename, NULL);
+@@ -939,7 +939,8 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+ 	rbt->root = (dns_rbtnode_t *)((char *)base_address +
+ 				header_offset + header->first_node_offset);
+ 
+-	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
++	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
++	    || header->first_node_offset > filesize) {
+ 		result = ISC_R_INVALIDFILE;
+ 		goto cleanup;
+ 	}
+-- 
+2.20.1
+
diff --git a/bind.spec b/bind.spec
index f0c5d10..a6357de 100644
--- a/bind.spec
+++ b/bind.spec
@@ -54,7 +54,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.5
-Release:  3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 #
@@ -131,6 +131,8 @@ Patch161:bind-9.11-host-idn-disable.patch
 Patch162:bind-9.11-unit-dnstap-pkcs11.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/8a98277811e
 Patch163:bind-9.11-rh1663318.patch
+# https://gitlab.isc.org/isc-projects/bind9/issues/819
+Patch164:bind-9.11-rh1666814.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -489,6 +491,7 @@ are used for building ISC DHCP.
 %patch161 -p1 -b .host-idn-disable
 %patch162 -p1 -b .dnstap-pkcs11
 %patch163 -p1 -b .rh1663318
+%patch164 -p1 -b .rh1666814
 
 mkdir lib/dns/tests/testdata/dstrandom
 cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@@ -1487,6 +1490,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Wed Jan 16 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-4
+- Reject invalid binary file (#1666814)
+
 * Mon Jan 14 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.5-3
 - Disable crypto rand for DHCP (#1663318)