commit 2a1245151e3f6e460a6ff581435ca7cdae08b222

pyrox.dev / nixpkgs

lol

fork atom

Merge #246773: djvulibre: patch multiple CVEs

Vladimír Čunát 2 years ago 2a124515 e456905e

+109

2 changed files

expand all

unified split

pkgs

applications

misc

djvulibre

CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch

default.nix

+105

pkgs/applications/misc/djvulibre/CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch

··· 1 + From cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 Mon Sep 17 00:00:00 2001 2 + From: Leon Bottou <leon@bottou.org> 3 + Date: Tue, 11 May 2021 14:44:09 -0400 4 + Subject: [PATCH] Reviewed Fedora patches and adopted some of them (or variants 5 + thereof) 6 + 7 + - Patch0: djvulibre-3.5.22-cdefs.patch (forward ported) 8 + Does not make imuch sense. GSmartPointer.h already includes "stddef.h" 9 + - Patch6: djvulibre-3.5.27-export-file.patch (forward ported) 10 + Incorrect: inkscape command is --export-png, not --export-filename. 11 + - Patch8: djvulibre-3.5.27-check-image-size.patch (forward ported) 12 + Correct: adopted a variant of this 13 + - Patch9: djvulibre-3.5.27-integer-overflow.patch (forward ported) 14 + Correct: adopted a variant of this 15 + - Patch10: djvulibre-3.5.27-check-input-pool.patch (forward ported) 16 + Adopted: input validation never hurts 17 + - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported) 18 + Dubious: Instead I changed djvufile to prevent a file from including itself 19 + which is the only way I can imagine to create an file creation loop. 20 + - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported) 21 + Adopted: but without including limits.h 22 + --- 23 + libdjvu/DataPool.cpp | 3 ++- 24 + libdjvu/DjVuFile.cpp | 2 ++ 25 + libdjvu/GBitmap.cpp | 2 ++ 26 + libdjvu/IW44Image.cpp | 4 ++++ 27 + tools/ddjvu.cpp | 7 +++++-- 28 + 5 files changed, 15 insertions(+), 3 deletions(-) 29 + 30 + diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp 31 + index 5fcbedf..b58fc45 100644 32 + --- a/libdjvu/DataPool.cpp 33 + +++ b/libdjvu/DataPool.cpp 34 + @@ -790,7 +790,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length) 35 + { 36 + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); 37 + DEBUG_MAKE_INDENT(3); 38 + - 39 + + if (!pool) 40 + + G_THROW( ERR_MSG("DataPool.zero_DataPool") ); 41 + DataPool *xpool=new DataPool(); 42 + GP<DataPool> retval=xpool; 43 + xpool->init(); 44 + diff --git a/libdjvu/DjVuFile.cpp b/libdjvu/DjVuFile.cpp 45 + index 143346b..2587491 100644 46 + --- a/libdjvu/DjVuFile.cpp 47 + +++ b/libdjvu/DjVuFile.cpp 48 + @@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int file_num) 49 + GURL incl_url=pcaster->id_to_url(this, incl_str); 50 + if (incl_url.is_empty()) // Fallback. Should never be used. 51 + incl_url=GURL::UTF8(incl_str,url.base()); 52 + + if (incl_url == url) // Infinite loop avoidance 53 + + G_THROW( ERR_MSG("DjVuFile.malformed") ); 54 + 55 + // Now see if there is already a file with this *name* created 56 + { 57 + diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp 58 + index c2fdbe4..8ad64b2 100644 59 + --- a/libdjvu/GBitmap.cpp 60 + +++ b/libdjvu/GBitmap.cpp 61 + @@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs) 62 + // initialize pixel array 63 + if (nrows==0 || ncolumns==0) 64 + G_THROW( ERR_MSG("GBitmap.not_init") ); 65 + + if (ncolumns + border != (unsigned short)(ncolumns+border)) 66 + + G_THROW("GBitmap: image size exceeds maximum (corrupted file?)"); 67 + bytes_per_row = ncolumns + border; 68 + if (runs==0) 69 + G_THROW( ERR_MSG("GBitmap.null_arg") ); 70 + diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp 71 + index e8d4b44..4a1797e 100644 72 + --- a/libdjvu/IW44Image.cpp 73 + +++ b/libdjvu/IW44Image.cpp 74 + @@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast) 75 + // Allocate reconstruction buffer 76 + short *data16; 77 + size_t sz = bw * bh; 78 + + if (sz == 0) 79 + + G_THROW("IW44Image: image size is zero (corrupted file?)"); 80 + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow 81 + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); 82 + GPBuffer<short> gdata16(data16,sz); 83 + + if (data16 == 0) 84 + + G_THROW("IW44Image: unable to allocate image buffer"); 85 + // Copy coefficients 86 + int i; 87 + short *p = data16; 88 + diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp 89 + index 7109952..e7b489b 100644 90 + --- a/tools/ddjvu.cpp 91 + +++ b/tools/ddjvu.cpp 92 + @@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno) 93 + } else if (style == DDJVU_FORMAT_GREY8) 94 + rowsize = rrect.w; 95 + else 96 + - rowsize = rrect.w * 3; 97 + - if (! (image = (char*)malloc(rowsize * rrect.h))) 98 + + rowsize = rrect.w * 3; 99 + + size_t bufsize = (size_t)rowsize * rrect.h; 100 + + if (bufsize / rowsize != rrect.h) 101 + + die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); 102 + + if (! (image = (char*)malloc(bufsize))) 103 + die(i18n("Cannot allocate image buffer for page %d"), pageno); 104 + 105 + /* Render */

pkgs/applications/misc/djvulibre/default.nix

··· 36 36 37 37 enableParallelBuilding = true; 38 38 39 + patches = [ 40 + ./CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch 41 + ]; 42 + 39 43 meta = with lib; { 40 44 description = "The big set of CLI tools to make/modify/optimize/show/export DJVU files"; 41 45 homepage = "https://djvu.sourceforge.net";