tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

Merge pull request #74877 from d-goldin/djvulibre_sec_patches_1903

[19.03] djvulibre: patching multiple CVEs

authored by Christian Kauhaus and committed by GitHub 5f7eae4b 3ead845d

options
unified split
Changed files
+344
pkgs
applications
misc
djvulibre
CVE-2019-15142.patch
CVE-2019-15143.patch
CVE-2019-15144.patch
CVE-2019-15145.patch
CVE-2019-18804.patch
default.nix
fix_hongfuzz_crash.patch
+72
pkgs/applications/misc/djvulibre/CVE-2019-15142.patch
··· 1 + commit 970fb11a296b5bbdc5e8425851253d2c5913c45e 2 + Author: Leon Bottou <leon@bottou.org> 3 + Date: Tue Mar 26 20:36:31 2019 -0400 4 + 5 + Fix bug#296 6 + 7 + diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp 8 + index a6a39e0..0a0fac6 100644 9 + --- a/libdjvu/DjVmDir.cpp 10 + +++ b/libdjvu/DjVmDir.cpp 11 + @@ -299,42 +299,44 @@ DjVmDir::decode(const GP<ByteStream> &gstr) 12 + memcpy((char*) strings+strings_size, buffer, length); 13 + } 14 + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); 15 + - if (strings[strings.size()-1] != 0) 16 + - { 17 + - int strings_size=strings.size(); 18 + - strings.resize(strings_size+1); 19 + - strings[strings_size] = 0; 20 + - } 21 + + int strings_size=strings.size(); 22 + + strings.resize(strings_size+3); 23 + + memset((char*) strings+strings_size, 0, 4); 24 + 25 + - // Copy names into the files 26 + + // Copy names into the files 27 + const char * ptr=strings; 28 + for(pos=files_list;pos;++pos) 29 + { 30 + GP<File> file=files_list[pos]; 31 + - 32 + + if (ptr >= (const char*)strings + strings_size) 33 + + G_THROW( "DjVu document is corrupted (DjVmDir)" ); 34 + file->id=ptr; 35 + ptr+=file->id.length()+1; 36 + if (file->flags & File::HAS_NAME) 37 + { 38 + - file->name=ptr; 39 + - ptr+=file->name.length()+1; 40 + - } else 41 + + file->name=ptr; 42 + + ptr+=file->name.length()+1; 43 + + } 44 + + else 45 + { 46 + file->name=file->id; 47 + } 48 + if (file->flags & File::HAS_TITLE) 49 + { 50 + - file->title=ptr; 51 + - ptr+=file->title.length()+1; 52 + - } else 53 + - file->title=file->id; 54 + - /* msr debug: multipage file, file->title is null. 55 + + file->title=ptr; 56 + + ptr+=file->title.length()+1; 57 + + } 58 + + else 59 + + { 60 + + file->title=file->id; 61 + + } 62 + + /* msr debug: multipage file, file->title is null. 63 + DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << 64 + file->offset << ", " << file->size << ", " << 65 + file->is_page() << "\n"); */ 66 + } 67 + 68 + - // Check that there is only one file with SHARED_ANNO flag on 69 + + // Check that there is only one file with SHARED_ANNO flag on 70 + int shared_anno_cnt=0; 71 + for(pos=files_list;pos;++pos) 72 + {
+39
pkgs/applications/misc/djvulibre/CVE-2019-15143.patch
··· 1 + commit b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f 2 + Author: Leon Bottou <leon@bottou.org> 3 + Date: Tue Mar 26 20:45:46 2019 -0400 4 + 5 + fix for bug #297 6 + 7 + diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp 8 + index 0a0fac6..5a49015 100644 9 + --- a/libdjvu/DjVmDir.cpp 10 + +++ b/libdjvu/DjVmDir.cpp 11 + @@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr) 12 + { 13 + GP<File> file=files_list[pos]; 14 + if (ptr >= (const char*)strings + strings_size) 15 + - G_THROW( "DjVu document is corrupted (DjVmDir)" ); 16 + + G_THROW( ByteStream::EndOfFile ); 17 + file->id=ptr; 18 + ptr+=file->id.length()+1; 19 + if (file->flags & File::HAS_NAME) 20 + diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp 21 + index 0e487f0..c2fdbe4 100644 22 + --- a/libdjvu/GBitmap.cpp 23 + +++ b/libdjvu/GBitmap.cpp 24 + @@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) 25 + int c = 0; 26 + while (n >= 0) 27 + { 28 + - bs.read(&h, 1); 29 + + if (bs.read(&h, 1) <= 0) 30 + + G_THROW( ByteStream::EndOfFile ); 31 + int x = h; 32 + if (x >= (int)RUNOVERFLOWVALUE) 33 + { 34 + - bs.read(&h, 1); 35 + + if (bs.read(&h, 1) <= 0) 36 + + G_THROW( ByteStream::EndOfFile ); 37 + x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); 38 + } 39 + if (c+x > ncolumns)
+111
pkgs/applications/misc/djvulibre/CVE-2019-15144.patch
··· 1 + commit e15d51510048927f172f1bf1f27ede65907d940d 2 + Author: Leon Bottou <leon@bottou.org> 3 + Date: Mon Apr 8 22:25:55 2019 -0400 4 + 5 + bug 299 fixed 6 + 7 + diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h 8 + index 96b067c..0140211 100644 9 + --- a/libdjvu/GContainer.h 10 + +++ b/libdjvu/GContainer.h 11 + @@ -550,52 +550,61 @@ public: 12 + template <class TYPE> void 13 + GArrayTemplate<TYPE>::sort(int lo, int hi) 14 + { 15 + - if (hi <= lo) 16 + - return; 17 + - if (hi > hibound || lo<lobound) 18 + - G_THROW( ERR_MSG("GContainer.illegal_subscript") ); 19 + TYPE *data = (TYPE*)(*this); 20 + - // Test for insertion sort 21 + - if (hi <= lo + 50) 22 + + while(true) 23 + { 24 + - for (int i=lo+1; i<=hi; i++) 25 + + if (hi <= lo) 26 + + return; 27 + + if (hi > hibound || lo<lobound) 28 + + G_THROW( ERR_MSG("GContainer.illegal_subscript") ); 29 + + // Test for insertion sort 30 + + if (hi <= lo + 50) 31 + { 32 + - int j = i; 33 + - TYPE tmp = data[i]; 34 + - while ((--j>=lo) && !(data[j]<=tmp)) 35 + - data[j+1] = data[j]; 36 + - data[j+1] = tmp; 37 + + for (int i=lo+1; i<=hi; i++) 38 + + { 39 + + int j = i; 40 + + TYPE tmp = data[i]; 41 + + while ((--j>=lo) && !(data[j]<=tmp)) 42 + + data[j+1] = data[j]; 43 + + data[j+1] = tmp; 44 + + } 45 + + return; 46 + } 47 + - return; 48 + - } 49 + - // -- determine suitable quick-sort pivot 50 + - TYPE tmp = data[lo]; 51 + - TYPE pivot = data[(lo+hi)/2]; 52 + - if (pivot <= tmp) 53 + - { tmp = pivot; pivot=data[lo]; } 54 + - if (data[hi] <= tmp) 55 + - { pivot = tmp; } 56 + - else if (data[hi] <= pivot) 57 + - { pivot = data[hi]; } 58 + - // -- partition set 59 + - int h = hi; 60 + - int l = lo; 61 + - while (l < h) 62 + - { 63 + - while (! (pivot <= data[l])) l++; 64 + - while (! (data[h] <= pivot)) h--; 65 + - if (l < h) 66 + + // -- determine median-of-three pivot 67 + + TYPE tmp = data[lo]; 68 + + TYPE pivot = data[(lo+hi)/2]; 69 + + if (pivot <= tmp) 70 + + { tmp = pivot; pivot=data[lo]; } 71 + + if (data[hi] <= tmp) 72 + + { pivot = tmp; } 73 + + else if (data[hi] <= pivot) 74 + + { pivot = data[hi]; } 75 + + // -- partition set 76 + + int h = hi; 77 + + int l = lo; 78 + + while (l < h) 79 + { 80 + - tmp = data[l]; 81 + - data[l] = data[h]; 82 + - data[h] = tmp; 83 + - l = l+1; 84 + - h = h-1; 85 + + while (! (pivot <= data[l])) l++; 86 + + while (! (data[h] <= pivot)) h--; 87 + + if (l < h) 88 + + { 89 + + tmp = data[l]; 90 + + data[l] = data[h]; 91 + + data[h] = tmp; 92 + + l = l+1; 93 + + h = h-1; 94 + + } 95 + + } 96 + + // -- recurse, small partition first 97 + + // tail-recursion elimination 98 + + if (h - lo <= hi - l) { 99 + + sort(lo,h); 100 + + lo = l; // sort(l,hi) 101 + + } else { 102 + + sort(l,hi); 103 + + hi = h; // sort(lo,h) 104 + } 105 + } 106 + - // -- recursively restart 107 + - sort(lo, h); 108 + - sort(l, hi); 109 + } 110 + 111 + template<class TYPE> inline TYPE&
+28
pkgs/applications/misc/djvulibre/CVE-2019-15145.patch
··· 1 + commit 9658b01431cd7ff6344d7787f855179e73fe81a7 2 + Author: Leon Bottou <leon@bottou.org> 3 + Date: Mon Apr 8 22:55:38 2019 -0400 4 + 5 + fix bug #298 6 + 7 + diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h 8 + index e8e0c9b..ca89a19 100644 9 + --- a/libdjvu/GBitmap.h 10 + +++ b/libdjvu/GBitmap.h 11 + @@ -566,7 +566,7 @@ GBitmap::operator[](int row) 12 + { 13 + if (!bytes) 14 + uncompress(); 15 + - if (row<0 || row>=nrows) { 16 + + if (row<0 || row>=nrows || !bytes) { 17 + #ifndef NDEBUG 18 + if (zerosize < bytes_per_row + border) 19 + G_THROW( ERR_MSG("GBitmap.zero_small") ); 20 + @@ -581,7 +581,7 @@ GBitmap::operator[](int row) const 21 + { 22 + if (!bytes) 23 + ((GBitmap*)this)->uncompress(); 24 + - if (row<0 || row>=nrows) { 25 + + if (row<0 || row>=nrows || !bytes) { 26 + #ifndef NDEBUG 27 + if (zerosize < bytes_per_row + border) 28 + G_THROW( ERR_MSG("GBitmap.zero_small") );
+32
pkgs/applications/misc/djvulibre/CVE-2019-18804.patch
··· 1 + commit c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 2 + Author: Leon Bottou <leon@bottou.org> 3 + Date: Thu Oct 17 22:20:31 2019 -0400 4 + 5 + Fixed bug 309 6 + 7 + diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp 8 + index 00752a0..f81eaeb 100644 9 + --- a/libdjvu/IW44EncodeCodec.cpp 10 + +++ b/libdjvu/IW44EncodeCodec.cpp 11 + @@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) 12 + int y = 0; 13 + int s = scale*rowsize; 14 + int s3 = s+s+s; 15 + - h = ((h-1)/scale)+1; 16 + + h = (h>0) ? ((h-1)/scale)+1 : 0; 17 + y += 1; 18 + p += s; 19 + while (y-3 < h) 20 + diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp 21 + index 6d0df3b..7109952 100644 22 + --- a/tools/ddjvu.cpp 23 + +++ b/tools/ddjvu.cpp 24 + @@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) 25 + prect.h = (ih * 100) / dpi; 26 + } 27 + /* Process aspect ratio */ 28 + - if (flag_aspect <= 0) 29 + + if (flag_aspect <= 0 && iw>0 && ih>0) 30 + { 31 + double dw = (double)iw / prect.w; 32 + double dh = (double)ih / prect.h;
+11
pkgs/applications/misc/djvulibre/default.nix
··· 12 12 13 13 buildInputs = [ libjpeg libtiff librsvg libiconv ]; 14 14 15 + patches = [ 16 + ./CVE-2019-18804.patch 17 + # This one is needed to make the following 18 + # two CVE patches apply cleanly 19 + ./fix_hongfuzz_crash.patch 20 + ./CVE-2019-15142.patch 21 + ./CVE-2019-15143.patch 22 + ./CVE-2019-15144.patch 23 + ./CVE-2019-15145.patch 24 + ]; 25 + 15 26 meta = with stdenv.lib; { 16 27 description = "A library and viewer for the DJVU file format for scanned images"; 17 28 homepage = http://djvu.sourceforge.net;
+51
pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch
··· 1 + commit 89d71b01d606e57ecec2c2930c145bb20ba5bbe3 2 + Author: Leon Bottou <leon@bottou.org> 3 + Date: Fri Jul 13 08:46:22 2018 -0400 4 + 5 + fix hongfuzz crash. 6 + 7 + diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp 8 + index d322323..a6a39e0 100644 9 + --- a/libdjvu/DjVmDir.cpp 10 + +++ b/libdjvu/DjVmDir.cpp 11 + @@ -299,7 +299,13 @@ DjVmDir::decode(const GP<ByteStream> &gstr) 12 + memcpy((char*) strings+strings_size, buffer, length); 13 + } 14 + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); 15 + - 16 + + if (strings[strings.size()-1] != 0) 17 + + { 18 + + int strings_size=strings.size(); 19 + + strings.resize(strings_size+1); 20 + + strings[strings_size] = 0; 21 + + } 22 + + 23 + // Copy names into the files 24 + const char * ptr=strings; 25 + for(pos=files_list;pos;++pos) 26 + diff --git a/libdjvu/miniexp.cpp b/libdjvu/miniexp.cpp 27 + index 6a5cd90..828addc 100644 28 + --- a/libdjvu/miniexp.cpp 29 + +++ b/libdjvu/miniexp.cpp 30 + @@ -1065,7 +1065,7 @@ print_c_string(const char *s, char *d, int flags, size_t len) 31 + c = (unsigned char)(*s++); 32 + if (char_quoted(c, flags)) 33 + { 34 + - char buffer[10]; 35 + + char buffer[16]; /* 10+1 */ 36 + static const char *tr1 = "\"\\tnrbf"; 37 + static const char *tr2 = "\"\\\t\n\r\b\f"; 38 + buffer[0] = buffer[1] = 0; 39 + diff --git a/tools/csepdjvu.cpp b/tools/csepdjvu.cpp 40 + index 7ed13ad..fab9472 100644 41 + --- a/tools/csepdjvu.cpp 42 + +++ b/tools/csepdjvu.cpp 43 + @@ -1834,7 +1834,7 @@ main(int argc, const char **argv) 44 + ByteStream::create(GURL::Filename::UTF8(arg),"rb"); 45 + BufferByteStream ibs(*fbs); 46 + do { 47 + - char pagename[16]; 48 + + char pagename[20]; 49 + sprintf(pagename, "p%04d.djvu", ++pageno); 50 + if (opts.verbose > 1) 51 + DjVuPrintErrorUTF8("%s","--------------------\n");