From 85b5413f172a342c220d4d828d6e1a35be210c29 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sat, 24 Apr 2021 16:34:20 +0100
Subject: [PATCH] libupnp: add patch for CVE-2020-13848

patch sourced from debian's 1.6.19+git20160116-1.2+deb9u1
---
 .../libraries/pupnp/CVE-2020-13848.patch      | 50 +++++++++++++++++++
 pkgs/development/libraries/pupnp/default.nix  |  4 ++
 2 files changed, 54 insertions(+)
 create mode 100644 pkgs/development/libraries/pupnp/CVE-2020-13848.patch

diff --git a/pkgs/development/libraries/pupnp/CVE-2020-13848.patch b/pkgs/development/libraries/pupnp/CVE-2020-13848.patch
new file mode 100644
index 00000000000000..423bd3846dd9ab
--- /dev/null
+++ b/pkgs/development/libraries/pupnp/CVE-2020-13848.patch
@@ -0,0 +1,50 @@
+Description: CVE-2020-13848
+ remote attackers to cause a denial of service (crash) via a crafted
+ SSDP message due to a NULL pointer dereference in the functions
+ FindServiceControlURLPath and FindServiceEventURLPath in
+ genlib/service_table/service_table.c
+
+---
+Origin: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0
+Author: Abhijith PA <abhijith@debian.org>
+Bug: https://github.com/pupnp/pupnp/issues/177
+Bug-Debian: https://bugs.debian.org/962282
+Last-Update: 2020-06-07
+
+--- a/upnp/src/genlib/service_table/service_table.c
++++ b/upnp/src/genlib/service_table/service_table.c
+@@ -299,12 +299,11 @@
+     uri_type parsed_url;
+     uri_type parsed_url_in;
+ 
+-    if( ( table )
+-        &&
+-        ( parse_uri( eventURLPath,
+-                     strlen( eventURLPath ),
+-                     &parsed_url_in ) == HTTP_SUCCESS ) ) {
+-
++    if (!table || !eventURLPath) {
++           return NULL;
++    }
++    if (parse_uri(eventURLPath, strlen(eventURLPath), &parsed_url_in) ==
++        HTTP_SUCCESS) {
+         finger = table->serviceList;
+         while( finger ) {
+             if( finger->eventURL )
+@@ -351,11 +350,11 @@
+     uri_type parsed_url;
+     uri_type parsed_url_in;
+ 
+-    if( ( table )
+-        &&
+-        ( parse_uri
+-          ( controlURLPath, strlen( controlURLPath ),
+-            &parsed_url_in ) == HTTP_SUCCESS ) ) {
++    if (!table || !controlURLPath) {
++           return NULL;
++    }
++    if (parse_uri(controlURLPath, strlen(controlURLPath), &parsed_url_in) ==
++        HTTP_SUCCESS) {
+         finger = table->serviceList;
+         while( finger ) {
+             if( finger->controlURL )
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index ef13111852785b..a486f239a69f7c 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -12,6 +12,10 @@ stdenv.mkDerivation rec {
   };
   outputs = [ "dev" "out" ];
 
+  patches = [
+    ./CVE-2020-13848.patch
+  ];
+
   nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   hardeningDisable = [ "fortify" ];