File zvbi-CVE-2025-2176,2177,2174,2175.patch of Package zvbi.37835

Index: zvbi-0.2.42/src/conv.c
===================================================================
--- zvbi-0.2.42.orig/src/conv.c
+++ zvbi-0.2.42/src/conv.c
@@ -333,7 +333,8 @@ vbi_strlen_ucs2			(const uint16_t *	src)
  * @returns
  * A pointer to the allocated buffer. You must free() the buffer
  * when it is no longer needed. The function returns @c NULL when
- * it runs out of memory, or when @a src is @c NULL.
+ * it runs out of memory, src_size is too large, or when @a src
+ * is @c NULL.
  *
  * @since 0.2.23
  */
@@ -344,7 +345,11 @@ strndup_identity		(unsigned long *	out_s
 {
 	char *buffer;
 
-	buffer = vbi_malloc (src_size + 4);
+	unsigned long check_buffer_size = (src_size + 4);
+	if (src_size > check_buffer_size)
+		return NULL;
+
+	buffer = vbi_malloc (check_buffer_size);
 	if (NULL == buffer) {
 		if (NULL != out_size)
 			*out_size = 0;
@@ -376,7 +381,8 @@ strndup_identity		(unsigned long *	out_s
  * @returns
  * A pointer to the allocated buffer. You must free() the buffer
  * when it is no longer needed. The function returns @c NULL when
- * it runs out of memory, or when @a src is @c NULL.
+ * it runs out of memory, src_length is too large, or when @a src
+ * is @c NULL.
  *
  * @since 0.2.23
  */
@@ -398,7 +404,11 @@ strndup_utf8_ucs2		(unsigned long *	out_
 	if (src_length < 0)
 		src_length = vbi_strlen_ucs2 (src);
 
-	buffer = vbi_malloc (src_length * 3 + 1);
+	unsigned long check_buffer_size = (src_length * 3 + 1);
+	if (src_length > check_buffer_size)
+		return NULL;
+
+	buffer = vbi_malloc (check_buffer_size);
 	if (NULL == buffer)
 		return NULL;
 
Index: zvbi-0.2.42/src/io-sim.c
===================================================================
--- zvbi-0.2.42.orig/src/io-sim.c
+++ zvbi-0.2.42/src/io-sim.c
@@ -1898,7 +1898,10 @@ vbi_capture_sim_load_caption	(vbi_captur
 		}
 
 		if (b->size >= b->capacity) {
-			if (!extend_buffer (b, b->capacity + 256))
+			unsigned int check_buffer_size = (b->capacity + 256);
+			if (b->capacity > check_buffer_size)
+				return FALSE;
+			if (!extend_buffer (b, check_buffer_size))
 				return FALSE;
 		}
 
Index: zvbi-0.2.42/src/search.c
===================================================================
--- zvbi-0.2.42.orig/src/search.c
+++ zvbi-0.2.42/src/search.c
@@ -470,7 +470,8 @@ ucs2_strlen(const void *string)
  * All this has yet to be addressed.
  *
  * @return
- * A vbi_search context or @c NULL on error.
+ * A vbi_search context or @c NULL on error or pattern string length
+ * is too large.
  */
 vbi_search *
 vbi_search_new(vbi_decoder *vbi,
@@ -490,7 +491,13 @@ vbi_search_new(vbi_decoder *vbi,
 		return NULL;
 
 	if (!regexp) {
-		if (!(esc_pat = malloc(sizeof(ucs2_t) * pat_len * 2))) {
+		unsigned int check_size = (sizeof(ucs2_t) * pat_len * 2);
+		if (pat_len > check_size) {
+			free(s);
+			return NULL;
+		}
+
+		if (!(esc_pat = malloc(check_size))) {
 			free(s);
 			return NULL;
 		}