package/rtl_433: fix CVE-2022-25051

An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when
decoding a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/rtl_433/0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch

@@ -0,0 +1,58 @@
+From 2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8 Mon Sep 17 00:00:00 2001
+From: "Christian W. Zuckschwerdt" <christian@zuckschwerdt.org>
+Date: Mon, 24 Jan 2022 15:53:20 +0100
+Subject: [PATCH] minor: Fix overflow in Clipsal-CMR113 and Somfy-IOHC reported
+ by aug5t7
+
+[Retrieved from:
+https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/devices/cmr113.c     | 4 ++--
+ src/devices/somfy_iohc.c | 9 +++++----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/devices/cmr113.c b/src/devices/cmr113.c
+index c85dfac56..19ec5d421 100644
+--- a/src/devices/cmr113.c
++++ b/src/devices/cmr113.c
+@@ -42,8 +42,8 @@ Kudos to Jon Oxer for decoding this stream and putting it here:
+ 
+ */
+ 
+-#define COMPARE_BITS 83
+-#define COMPARE_BYTES (COMPARE_BITS/8)
++#define COMPARE_BITS  83
++#define COMPARE_BYTES ((COMPARE_BITS + 7) / 8)
+ 
+ static int cmr113_decode(r_device *decoder, bitbuffer_t *bitbuffer)
+ {
+diff --git a/src/devices/somfy_iohc.c b/src/devices/somfy_iohc.c
+index 906cae53e..2c88067b5 100644
+--- a/src/devices/somfy_iohc.c
++++ b/src/devices/somfy_iohc.c
+@@ -100,11 +100,12 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
+     if (bitbuffer->num_rows != 1)
+         return DECODE_ABORT_EARLY;
+ 
+-    int offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
+-    if (offset >= bitbuffer->bits_per_row[0] - 19 * 10)
++    unsigned offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
++    if (offset + 19 * 10 >= bitbuffer->bits_per_row[0])
+         return DECODE_ABORT_EARLY;
+ 
+-    int num_bits = bitbuffer->bits_per_row[0] - offset;
++    unsigned num_bits = bitbuffer->bits_per_row[0] - offset;
++    num_bits = MIN(num_bits, sizeof (b) * 8);
+ 
+     int len = extract_bytes_uart(bitbuffer->bb[0], offset, num_bits, b);
+     if (len < 19)
+@@ -120,7 +121,7 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
+     // calculate and verify checksum
+     if (crc16lsb(b, len, 0x8408, 0x0000) != 0) // unreflected poly 0x1021
+         return DECODE_FAIL_MIC;
+-    bitrow_printf(b, len * 8, "%s: offset %d, num_bits %d, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
++    bitrow_printf(b, len * 8, "%s: offset %u, num_bits %u, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
+ 
+     int msg_type = (b[0]);
+     int dst_id   = ((unsigned)b[4] << 24) | (b[3] << 16) | (b[2] << 8) | (b[1]); // assume Little-Endian

package/rtl_433/rtl_433.mk

@@ -17,6 +17,9 @@ RTL_433_CONF_OPTS = \
 	-DBUILD_TESTING_ANALYZER=OFF \
 	-DENABLE_SOAPYSDR=OFF
 
+# 0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch
+RTL_433_IGNORE_CVES += CVE-2022-25051
+
 ifeq ($(BR2_PACKAGE_LIBRTLSDR),y)
 RTL_433_DEPENDENCIES += librtlsdr
 RTL_433_CONF_OPTS += -DENABLE_RTLSDR=ON