File _service:tar_scm_kernel_repo:backport-CVE-2021-... of Package busybox

File _service:tar_scm_kernel_repo:backport-CVE-2021-28831.patch of Package busybox

From 26d06cef6684055a30cce5922095d22e8a9a91e3 Mon Sep 17 00:00:00 2001
From: leizhongkai <leizhongkai@huawei.com>
Date: Sat, 17 Apr 2021 14:27:23 +0800
Subject: [PATCH] busybox: fix CVE-2021-28831

backoprt from upstream:
https://git.busybox.net/busybox/patch/?id=dbd3b883a891f076911d752f56f7a906d5650a17

Signed-off-by: leizhongkai <leizhongkai@huawei.com>
---
 archival/libarchive/decompress_gunzip.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
index 7f9046b..3eeae76 100644
--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
@@ -222,10 +222,21 @@ static const uint8_t border[] ALIGN1 = {
  * each table.
  * t: table to free
  */
+#define BAD_HUFT(p) ((uintptr_t)(p) & 1)
+#define ERR_RET     ((huft_t*)(uintptr_t)1)
 static void huft_free(huft_t *p)
 {
 	huft_t *q;
 
+    /*
+     * If 'p' has the error bit set we have to clear it, otherwise we might run
+     * into a segmentation fault or an invalid pointer to free(p)
+     */
+    if (BAD_HUFT(p)) {
+        p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET));
+    }
+
+
 	/* Go through linked list, freeing from the malloced (t[-1]) address. */
 	while (p) {
 		q = (--p)->v.t;
-- 
2.23.0