commit 5b69bdf89197628da1f182713fdeb001da846c25 · pyrox.dev/nixpkgs

-72

pkgs/applications/misc/djvulibre/CVE-2019-15142.patch

··· 1 - commit 970fb11a296b5bbdc5e8425851253d2c5913c45e 2 - Author: Leon Bottou <leon@bottou.org> 3 - Date: Tue Mar 26 20:36:31 2019 -0400 4 - 5 - Fix bug#296 6 - 7 - diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp 8 - index a6a39e0..0a0fac6 100644 9 - --- a/libdjvu/DjVmDir.cpp 10 - +++ b/libdjvu/DjVmDir.cpp 11 - @@ -299,42 +299,44 @@ DjVmDir::decode(const GP<ByteStream> &gstr) 12 - memcpy((char*) strings+strings_size, buffer, length); 13 - } 14 - DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); 15 - - if (strings[strings.size()-1] != 0) 16 - - { 17 - - int strings_size=strings.size(); 18 - - strings.resize(strings_size+1); 19 - - strings[strings_size] = 0; 20 - - } 21 - + int strings_size=strings.size(); 22 - + strings.resize(strings_size+3); 23 - + memset((char*) strings+strings_size, 0, 4); 24 - 25 - - // Copy names into the files 26 - + // Copy names into the files 27 - const char * ptr=strings; 28 - for(pos=files_list;pos;++pos) 29 - { 30 - GP<File> file=files_list[pos]; 31 - - 32 - + if (ptr >= (const char*)strings + strings_size) 33 - + G_THROW( "DjVu document is corrupted (DjVmDir)" ); 34 - file->id=ptr; 35 - ptr+=file->id.length()+1; 36 - if (file->flags & File::HAS_NAME) 37 - { 38 - - file->name=ptr; 39 - - ptr+=file->name.length()+1; 40 - - } else 41 - + file->name=ptr; 42 - + ptr+=file->name.length()+1; 43 - + } 44 - + else 45 - { 46 - file->name=file->id; 47 - } 48 - if (file->flags & File::HAS_TITLE) 49 - { 50 - - file->title=ptr; 51 - - ptr+=file->title.length()+1; 52 - - } else 53 - - file->title=file->id; 54 - - /* msr debug: multipage file, file->title is null. 55 - + file->title=ptr; 56 - + ptr+=file->title.length()+1; 57 - + } 58 - + else 59 - + { 60 - + file->title=file->id; 61 - + } 62 - + /* msr debug: multipage file, file->title is null. 63 - DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << 64 - file->offset << ", " << file->size << ", " << 65 - file->is_page() << "\n"); */ 66 - } 67 - 68 - - // Check that there is only one file with SHARED_ANNO flag on 69 - + // Check that there is only one file with SHARED_ANNO flag on 70 - int shared_anno_cnt=0; 71 - for(pos=files_list;pos;++pos) 72 - {

-39

pkgs/applications/misc/djvulibre/CVE-2019-15143.patch

··· 1 - commit b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f 2 - Author: Leon Bottou <leon@bottou.org> 3 - Date: Tue Mar 26 20:45:46 2019 -0400 4 - 5 - fix for bug #297 6 - 7 - diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp 8 - index 0a0fac6..5a49015 100644 9 - --- a/libdjvu/DjVmDir.cpp 10 - +++ b/libdjvu/DjVmDir.cpp 11 - @@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr) 12 - { 13 - GP<File> file=files_list[pos]; 14 - if (ptr >= (const char*)strings + strings_size) 15 - - G_THROW( "DjVu document is corrupted (DjVmDir)" ); 16 - + G_THROW( ByteStream::EndOfFile ); 17 - file->id=ptr; 18 - ptr+=file->id.length()+1; 19 - if (file->flags & File::HAS_NAME) 20 - diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp 21 - index 0e487f0..c2fdbe4 100644 22 - --- a/libdjvu/GBitmap.cpp 23 - +++ b/libdjvu/GBitmap.cpp 24 - @@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) 25 - int c = 0; 26 - while (n >= 0) 27 - { 28 - - bs.read(&h, 1); 29 - + if (bs.read(&h, 1) <= 0) 30 - + G_THROW( ByteStream::EndOfFile ); 31 - int x = h; 32 - if (x >= (int)RUNOVERFLOWVALUE) 33 - { 34 - - bs.read(&h, 1); 35 - + if (bs.read(&h, 1) <= 0) 36 - + G_THROW( ByteStream::EndOfFile ); 37 - x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); 38 - } 39 - if (c+x > ncolumns)

-111

pkgs/applications/misc/djvulibre/CVE-2019-15144.patch

··· 1 - commit e15d51510048927f172f1bf1f27ede65907d940d 2 - Author: Leon Bottou <leon@bottou.org> 3 - Date: Mon Apr 8 22:25:55 2019 -0400 4 - 5 - bug 299 fixed 6 - 7 - diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h 8 - index 96b067c..0140211 100644 9 - --- a/libdjvu/GContainer.h 10 - +++ b/libdjvu/GContainer.h 11 - @@ -550,52 +550,61 @@ public: 12 - template <class TYPE> void 13 - GArrayTemplate<TYPE>::sort(int lo, int hi) 14 - { 15 - - if (hi <= lo) 16 - - return; 17 - - if (hi > hibound || lo<lobound) 18 - - G_THROW( ERR_MSG("GContainer.illegal_subscript") ); 19 - TYPE *data = (TYPE*)(*this); 20 - - // Test for insertion sort 21 - - if (hi <= lo + 50) 22 - + while(true) 23 - { 24 - - for (int i=lo+1; i<=hi; i++) 25 - + if (hi <= lo) 26 - + return; 27 - + if (hi > hibound || lo<lobound) 28 - + G_THROW( ERR_MSG("GContainer.illegal_subscript") ); 29 - + // Test for insertion sort 30 - + if (hi <= lo + 50) 31 - { 32 - - int j = i; 33 - - TYPE tmp = data[i]; 34 - - while ((--j>=lo) && !(data[j]<=tmp)) 35 - - data[j+1] = data[j]; 36 - - data[j+1] = tmp; 37 - + for (int i=lo+1; i<=hi; i++) 38 - + { 39 - + int j = i; 40 - + TYPE tmp = data[i]; 41 - + while ((--j>=lo) && !(data[j]<=tmp)) 42 - + data[j+1] = data[j]; 43 - + data[j+1] = tmp; 44 - + } 45 - + return; 46 - } 47 - - return; 48 - - } 49 - - // -- determine suitable quick-sort pivot 50 - - TYPE tmp = data[lo]; 51 - - TYPE pivot = data[(lo+hi)/2]; 52 - - if (pivot <= tmp) 53 - - { tmp = pivot; pivot=data[lo]; } 54 - - if (data[hi] <= tmp) 55 - - { pivot = tmp; } 56 - - else if (data[hi] <= pivot) 57 - - { pivot = data[hi]; } 58 - - // -- partition set 59 - - int h = hi; 60 - - int l = lo; 61 - - while (l < h) 62 - - { 63 - - while (! (pivot <= data[l])) l++; 64 - - while (! (data[h] <= pivot)) h--; 65 - - if (l < h) 66 - + // -- determine median-of-three pivot 67 - + TYPE tmp = data[lo]; 68 - + TYPE pivot = data[(lo+hi)/2]; 69 - + if (pivot <= tmp) 70 - + { tmp = pivot; pivot=data[lo]; } 71 - + if (data[hi] <= tmp) 72 - + { pivot = tmp; } 73 - + else if (data[hi] <= pivot) 74 - + { pivot = data[hi]; } 75 - + // -- partition set 76 - + int h = hi; 77 - + int l = lo; 78 - + while (l < h) 79 - { 80 - - tmp = data[l]; 81 - - data[l] = data[h]; 82 - - data[h] = tmp; 83 - - l = l+1; 84 - - h = h-1; 85 - + while (! (pivot <= data[l])) l++; 86 - + while (! (data[h] <= pivot)) h--; 87 - + if (l < h) 88 - + { 89 - + tmp = data[l]; 90 - + data[l] = data[h]; 91 - + data[h] = tmp; 92 - + l = l+1; 93 - + h = h-1; 94 - + } 95 - + } 96 - + // -- recurse, small partition first 97 - + // tail-recursion elimination 98 - + if (h - lo <= hi - l) { 99 - + sort(lo,h); 100 - + lo = l; // sort(l,hi) 101 - + } else { 102 - + sort(l,hi); 103 - + hi = h; // sort(lo,h) 104 - } 105 - } 106 - - // -- recursively restart 107 - - sort(lo, h); 108 - - sort(l, hi); 109 - } 110 - 111 - template<class TYPE> inline TYPE&

-28

pkgs/applications/misc/djvulibre/CVE-2019-15145.patch

··· 1 - commit 9658b01431cd7ff6344d7787f855179e73fe81a7 2 - Author: Leon Bottou <leon@bottou.org> 3 - Date: Mon Apr 8 22:55:38 2019 -0400 4 - 5 - fix bug #298 6 - 7 - diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h 8 - index e8e0c9b..ca89a19 100644 9 - --- a/libdjvu/GBitmap.h 10 - +++ b/libdjvu/GBitmap.h 11 - @@ -566,7 +566,7 @@ GBitmap::operator[](int row) 12 - { 13 - if (!bytes) 14 - uncompress(); 15 - - if (row<0 || row>=nrows) { 16 - + if (row<0 || row>=nrows || !bytes) { 17 - #ifndef NDEBUG 18 - if (zerosize < bytes_per_row + border) 19 - G_THROW( ERR_MSG("GBitmap.zero_small") ); 20 - @@ -581,7 +581,7 @@ GBitmap::operator[](int row) const 21 - { 22 - if (!bytes) 23 - ((GBitmap*)this)->uncompress(); 24 - - if (row<0 || row>=nrows) { 25 - + if (row<0 || row>=nrows || !bytes) { 26 - #ifndef NDEBUG 27 - if (zerosize < bytes_per_row + border) 28 - G_THROW( ERR_MSG("GBitmap.zero_small") );

-32

pkgs/applications/misc/djvulibre/CVE-2019-18804.patch

··· 1 - commit c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 2 - Author: Leon Bottou <leon@bottou.org> 3 - Date: Thu Oct 17 22:20:31 2019 -0400 4 - 5 - Fixed bug 309 6 - 7 - diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp 8 - index 00752a0..f81eaeb 100644 9 - --- a/libdjvu/IW44EncodeCodec.cpp 10 - +++ b/libdjvu/IW44EncodeCodec.cpp 11 - @@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) 12 - int y = 0; 13 - int s = scale*rowsize; 14 - int s3 = s+s+s; 15 - - h = ((h-1)/scale)+1; 16 - + h = (h>0) ? ((h-1)/scale)+1 : 0; 17 - y += 1; 18 - p += s; 19 - while (y-3 < h) 20 - diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp 21 - index 6d0df3b..7109952 100644 22 - --- a/tools/ddjvu.cpp 23 - +++ b/tools/ddjvu.cpp 24 - @@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) 25 - prect.h = (ih * 100) / dpi; 26 - } 27 - /* Process aspect ratio */ 28 - - if (flag_aspect <= 0) 29 - + if (flag_aspect <= 0 && iw>0 && ih>0) 30 - { 31 - double dw = (double)iw / prect.w; 32 - double dh = (double)ih / prect.h;

+3 -14

pkgs/applications/misc/djvulibre/default.nix

··· 8 8 9 9 stdenv.mkDerivation rec { 10 10 pname = "djvulibre"; 11 - version = "3.5.27"; 11 + version = "3.5.28"; 12 12 13 13 src = fetchurl { 14 14 url = "mirror://sourceforge/djvu/${pname}-${version}.tar.gz"; 15 - sha256 = "0psh3zl9dj4n4r3lx25390nx34xz0bg0ql48zdskhq354ljni5p6"; 15 + sha256 = "1p1fiygq9ny8aimwc4vxwjc6k9ykgdsq1sq06slfbzalfvm0kl7w"; 16 16 }; 17 17 18 18 outputs = [ "bin" "dev" "out" ]; ··· 24 24 libiconv 25 25 ]; 26 26 27 - patches = [ 28 - ./CVE-2019-18804.patch 29 - # This one is needed to make the following 30 - # two CVE patches apply cleanly 31 - ./fix_hongfuzz_crash.patch 32 - ./CVE-2019-15142.patch 33 - ./CVE-2019-15143.patch 34 - ./CVE-2019-15144.patch 35 - ./CVE-2019-15145.patch 36 - ]; 37 - 38 27 meta = with lib; { 39 28 description = "The big set of CLI tools to make/modify/optimize/show/export DJVU files"; 40 29 homepage = "http://djvu.sourceforge.net"; 41 - license = licenses.gpl2; 30 + license = licenses.gpl2Plus; 42 31 maintainers = with maintainers; [ Anton-Latukha ]; 43 32 platforms = platforms.all; 44 33 };

-51

pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch

··· 1 - commit 89d71b01d606e57ecec2c2930c145bb20ba5bbe3 2 - Author: Leon Bottou <leon@bottou.org> 3 - Date: Fri Jul 13 08:46:22 2018 -0400 4 - 5 - fix hongfuzz crash. 6 - 7 - diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp 8 - index d322323..a6a39e0 100644 9 - --- a/libdjvu/DjVmDir.cpp 10 - +++ b/libdjvu/DjVmDir.cpp 11 - @@ -299,7 +299,13 @@ DjVmDir::decode(const GP<ByteStream> &gstr) 12 - memcpy((char*) strings+strings_size, buffer, length); 13 - } 14 - DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); 15 - - 16 - + if (strings[strings.size()-1] != 0) 17 - + { 18 - + int strings_size=strings.size(); 19 - + strings.resize(strings_size+1); 20 - + strings[strings_size] = 0; 21 - + } 22 - + 23 - // Copy names into the files 24 - const char * ptr=strings; 25 - for(pos=files_list;pos;++pos) 26 - diff --git a/libdjvu/miniexp.cpp b/libdjvu/miniexp.cpp 27 - index 6a5cd90..828addc 100644 28 - --- a/libdjvu/miniexp.cpp 29 - +++ b/libdjvu/miniexp.cpp 30 - @@ -1065,7 +1065,7 @@ print_c_string(const char *s, char *d, int flags, size_t len) 31 - c = (unsigned char)(*s++); 32 - if (char_quoted(c, flags)) 33 - { 34 - - char buffer[10]; 35 - + char buffer[16]; /* 10+1 */ 36 - static const char *tr1 = "\"\\tnrbf"; 37 - static const char *tr2 = "\"\\\t\n\r\b\f"; 38 - buffer[0] = buffer[1] = 0; 39 - diff --git a/tools/csepdjvu.cpp b/tools/csepdjvu.cpp 40 - index 7ed13ad..fab9472 100644 41 - --- a/tools/csepdjvu.cpp 42 - +++ b/tools/csepdjvu.cpp 43 - @@ -1834,7 +1834,7 @@ main(int argc, const char **argv) 44 - ByteStream::create(GURL::Filename::UTF8(arg),"rb"); 45 - BufferByteStream ibs(*fbs); 46 - do { 47 - - char pagename[16]; 48 - + char pagename[20]; 49 - sprintf(pagename, "p%04d.djvu", ++pageno); 50 - if (opts.verbose > 1) 51 - DjVuPrintErrorUTF8("%s","--------------------\n");