[bug#46959] gnu: newlib: Fix CVE-2021-3420.

diff --git a/gnu/local.mk b/gnu/local.mk
index fb3b395852..d0260b5921 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1397,6 +1397,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/netsurf-system-utf8proc.patch		\
   %D%/packages/patches/netsurf-y2038-tests.patch		\
   %D%/packages/patches/netsurf-longer-test-timeout.patch	\
+  %D%/packages/patches/newlib-CVE-2021-3420.patch		\
   %D%/packages/patches/nfs4-acl-tools-0.3.7-fixpaths.patch	\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/network-manager-plugin-path.patch	\
diff --git a/gnu/packages/embedded.scm b/gnu/packages/embedded.scm
index 51ee244f3c..72dbdf7385 100644
--- a/gnu/packages/embedded.scm
+++ b/gnu/packages/embedded.scm
@@ -173,7 +173,8 @@ 
                                   version ".tar.gz"))
               (sha256
                (base32
-                "01i7qllwicf05vsvh39qj7qp5fdifpvvky0x95hjq39mbqiksnsl"))))
+                "01i7qllwicf05vsvh39qj7qp5fdifpvvky0x95hjq39mbqiksnsl"))
+              (patches (search-patches "newlib-CVE-2021-3420.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:out-of-source? #t
@@ -339,7 +340,8 @@  usable on embedded products.")
          (file-name (git-file-name "newlib" commit))
          (sha256
           (base32
-           "1dq23fqrk75g1a4v7569fvnnw5q440zawbxi3w0g05n8jlqsmvcy"))))
+           "1dq23fqrk75g1a4v7569fvnnw5q440zawbxi3w0g05n8jlqsmvcy"))
+         (patches (search-patches "newlib-CVE-2021-3420.patch"))))
       (arguments
        (substitute-keyword-arguments (package-arguments newlib-arm-none-eabi)
          ;; The configure flags are identical to the flags used by the "GCC ARM
diff --git a/gnu/packages/patches/newlib-CVE-2021-3420.patch b/gnu/packages/patches/newlib-CVE-2021-3420.patch
new file mode 100644
index 0000000000..f7834664b5
--- /dev/null
+++ b/gnu/packages/patches/newlib-CVE-2021-3420.patch
@@ -0,0 +1,105 @@ 
+From aa106b29a6a8a1b0df9e334704292cbc32f2d44e Mon Sep 17 00:00:00 2001
+From: Corinna Vinschen <vinschen@redhat.com>
+Date: Tue, 17 Nov 2020 10:50:57 +0100
+Subject: [PATCH] malloc/nano-malloc: correctly check for out-of-bounds
+ allocation reqs
+
+The overflow check in mEMALIGn erroneously checks for INT_MAX,
+albeit the input parameter is size_t.  Fix this to check for
+__SIZE_MAX__ instead.  Also, it misses to check the req against
+adding the alignment before calling mALLOc.
+
+While at it, add out-of-bounds checks to pvALLOc, nano_memalign,
+nano_valloc, and Cygwin's (unused) dlpvalloc.
+
+Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
+---
+ newlib/libc/stdlib/mallocr.c      |  7 ++++++-
+ newlib/libc/stdlib/nano-mallocr.c | 22 +++++++++++++++++++++-
+ winsup/cygwin/malloc.cc           |  4 ++++
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/newlib/libc/stdlib/mallocr.c b/newlib/libc/stdlib/mallocr.c
+index 9ad720ada..13d014cc8 100644
+--- a/newlib/libc/stdlib/mallocr.c
++++ b/newlib/libc/stdlib/mallocr.c
+@@ -3055,7 +3055,7 @@ Void_t* mEMALIGn(RARG alignment, bytes) RDECL size_t alignment; size_t bytes;
+   nb = request2size(bytes);
+ 
+   /* Check for overflow. */
+-  if (nb > INT_MAX || nb < bytes)
++  if (nb > __SIZE_MAX__ - (alignment + MINSIZE) || nb < bytes)
+   {
+     RERRNO = ENOMEM;
+     return 0;
+@@ -3172,6 +3172,11 @@ Void_t* pvALLOc(RARG bytes) RDECL size_t bytes;
+ #endif
+ {
+   size_t pagesize = malloc_getpagesize;
++  if (bytes > __SIZE_MAX__ - pagesize)
++  {
++    RERRNO = ENOMEM;
++    return 0;
++  }
+   return mEMALIGn (RCALL pagesize, (bytes + pagesize - 1) & ~(pagesize - 1));
+ }
+ 
+diff --git a/newlib/libc/stdlib/nano-mallocr.c b/newlib/libc/stdlib/nano-mallocr.c
+index 6dbfba84b..1e0703948 100644
+--- a/newlib/libc/stdlib/nano-mallocr.c
++++ b/newlib/libc/stdlib/nano-mallocr.c
+@@ -580,8 +580,22 @@ void * nano_memalign(RARG size_t align, size_t s)
+     if ((align & (align-1)) != 0) return NULL;
+ 
+     align = MAX(align, MALLOC_ALIGN);
++
++    /* Make sure ma_size does not overflow */
++    if (s > __SIZE_MAX__ - CHUNK_ALIGN)
++    {
++	RERRNO = ENOMEM;
++	return NULL;
++    }
+     ma_size = ALIGN_SIZE(MAX(s, MALLOC_MINSIZE), CHUNK_ALIGN);
+-    size_with_padding = ma_size + align - MALLOC_ALIGN;
++
++    /* Make sure size_with_padding does not overflow */
++    if (ma_size > __SIZE_MAX__ - (align - MALLOC_ALIGN))
++    {
++	RERRNO = ENOMEM;
++	return NULL;
++    }
++    size_with_padding = ma_size + (align - MALLOC_ALIGN);
+ 
+     allocated = nano_malloc(RCALL size_with_padding);
+     if (allocated == NULL) return NULL;
+@@ -644,6 +658,12 @@ void * nano_valloc(RARG size_t s)
+ #ifdef DEFINE_PVALLOC
+ void * nano_pvalloc(RARG size_t s)
+ {
++    /* Make sure size given to nano_valloc does not overflow */
++    if (s > __SIZE_MAX__ - MALLOC_PAGE_ALIGN)
++    {
++	RERRNO = ENOMEM;
++	return NULL;
++    }
+     return nano_valloc(RCALL ALIGN_SIZE(s, MALLOC_PAGE_ALIGN));
+ }
+ #endif /* DEFINE_PVALLOC */
+diff --git a/winsup/cygwin/malloc.cc b/winsup/cygwin/malloc.cc
+index 23c354074..8a1fc257e 100644
+--- a/winsup/cygwin/malloc.cc
++++ b/winsup/cygwin/malloc.cc
+@@ -5298,6 +5298,10 @@ void* dlpvalloc(size_t bytes) {
+   size_t pagesz;
+   ensure_initialization();
+   pagesz = mparams.page_size;
++  if (bytes > MAX_REQUEST) {
++    MALLOC_FAILURE_ACTION;
++    return NULL;
++  }
+   return dlmemalign(pagesz, (bytes + pagesz - SIZE_T_ONE) & ~(pagesz - SIZE_T_ONE));
+ }
+ 
+-- 
+2.27.0
+