Commit d2012a47 authored by Ariadne Conill's avatar Ariadne Conill 🐰
Browse files

community/djvulibre: add mitigations for CVE-2021-3500, CVE-2021-32490,...

community/djvulibre: add mitigations for CVE-2021-3500, CVE-2021-32490, CVE-2021-32491, CVE-2021-32492, CVE-2021-32493
parent 0893602b
......@@ -2,14 +2,29 @@
# Maintainer: Leon Bottou <leonb@bottou.org>
pkgname=djvulibre
pkgver=3.5.28
pkgrel=0
pkgrel=1
pkgdesc="Utilities and Libraries for the DjVu image format"
url="http://djvu.sourceforge.net/"
arch="all"
license="GPL-2.0-only"
makedepends="libjpeg-turbo-dev tiff-dev automake autoconf libtool"
subpackages="$pkgname-dev $pkgname-doc lib$pkgname:libs"
source="http://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz"
source="http://downloads.sourceforge.net/djvu/djvulibre-$pkgver.tar.gz
djvulibre-3.5.27-check-image-size.patch
djvulibre-3.5.27-check-input-pool.patch
djvulibre-3.5.27-djvuport-stack-overflow.patch
djvulibre-3.5.27-export-file.patch
djvulibre-3.5.27-integer-overflow.patch
djvulibre-3.5.27-out-of-bound-write-2.patch
djvulibre-3.5.27-unsigned-short-overflow.patch"
# secfixes:
# 3.5.28-r1:
# - CVE-2021-3500
# - CVE-2021-32490
# - CVE-2021-32491
# - CVE-2021-32492
# - CVE-2021-32493
prepare() {
default_prepare
......@@ -42,4 +57,11 @@ libs() {
sha512sums="
db3b8a5b56d700e911be32057f721a2a597e6f52e6fade203ad75ad76ab2d8facff2e474fd18beea703ccd5fa6425352e619a8fda40e69add1724dbee26050c6 djvulibre-3.5.28.tar.gz
f73f0fe6e8a3a38b617ca4085c4a1ff88d9a0a9ba1c1501856d2b489388b624535901d9fb7387a052b922eeda441cdddef16198ae6beeac7d691d27be8691eb4 djvulibre-3.5.27-check-image-size.patch
5cc31f7c02972de99d413601e9ae31fb32e63ba6427163fb04fb522f479e5ed737ddbf122d3dbf541a3e1ecfb42870ed315dc7f5ce620a392efe72c08475e9b9 djvulibre-3.5.27-check-input-pool.patch
52feb4b1f3db515fb3228287ddfb82ef62c9ddd85e1f3cae551a25e21e402f69ceec38133aabb9a581ad6fbc113ef65e7297f0bdbe34fb75077314e5cc40a2d7 djvulibre-3.5.27-djvuport-stack-overflow.patch
b7a05df01060376079a0c59df2ecf20efddbd1b08e42c99e18ed94e89481c1850393488de39421bd8f31b6c6ce647a11b29b1a98306f121584792fc1b040e698 djvulibre-3.5.27-export-file.patch
9c1bdfcfcc003076cf9effd5a2d4df04e5ab9b9f891ab0ee7f0f5d7fcd5c83f605bd1e3e0be51132c18fa91900f49c2f7165b8426490c522a5a8f59e9d9e09e3 djvulibre-3.5.27-integer-overflow.patch
69ad8be81c20bf02bec3426a42c90ff9aafba38ed216f8563434aa7921fbd45973981c07076208374f637fb9e6e4a9b58e8639337288b6b34b2dbee77ff6eac1 djvulibre-3.5.27-out-of-bound-write-2.patch
ff08cc6e21053c42454e3855095d6fbea6a7e99924b2e977dd723df6e63f09d3375c4db88bd678a576d635b34a5e19358f766af59eeedfbdb7c62cde2d6962bf djvulibre-3.5.27-unsigned-short-overflow.patch
"
diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
index e8d4b44..aa3d554 100644
--- a/libdjvu/IW44Image.cpp
+++ b/libdjvu/IW44Image.cpp
@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
size_t sz = bw * bh;
if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+ if (sz == 0)
+ G_THROW("IW44Image: zero size image (corrupted file?)");
GPBuffer<short> gdata16(data16,sz);
+ if (data16 == NULL)
+ G_THROW("IW44Image: unable to allocate image data");
// Copy coefficients
int i;
short *p = data16;
diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
index 5fcbedf..4c2eaf0 100644
--- a/libdjvu/DataPool.cpp
+++ b/libdjvu/DataPool.cpp
@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
DEBUG_MAKE_INDENT(3);
+ if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
+
DataPool *xpool=new DataPool();
GP<DataPool> retval=xpool;
xpool->init();
diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp
index 2b3e0d2..ede7f6b 100644
--- a/libdjvu/DjVuPort.cpp
+++ b/libdjvu/DjVuPort.cpp
@@ -507,10 +507,19 @@ GP<DjVuFile>
DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
{
GPList<DjVuPort> list;
+
+ if (!!opening_id && opening_id == id)
+ G_THROW("DjVuPortcaster: recursive opening of the same file (corrupted file?)");
+ else
+ opening_id = id;
+
compute_closure(source, list, true);
GP<DjVuFile> file;
for(GPosition pos=list;pos;++pos)
if ((file=list[pos]->id_to_file(source, id))) break;
+
+ opening_id = GUTF8String();
+
return file;
}
diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h
index e2b3125..313dc2b 100644
--- a/libdjvu/DjVuPort.h
+++ b/libdjvu/DjVuPort.h
@@ -484,6 +484,7 @@ private:
const DjVuPort *dst, int distance);
void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
bool sorted=false);
+ GUTF8String opening_id;
};
--- djvulibre-3.5.27/desktopfiles/Makefile.am
+++ djvulibre-3.5.27/desktopfiles/Makefile.am
@@ -32,10 +32,9 @@ if HAVE_CONVERSION_INKSCAPE
convert_icons_process = \
s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
${INKSCAPE} \
---without-gui \
--export-width=$${s} \
--export-height=$${s} \
---export-png=$@ $<
+--export-filename=$@ $<
endif
if HAVE_CONVERSION_CONVERT
--- djvulibre-3.5.27/desktopfiles/Makefile.in
+++ djvulibre-3.5.27/desktopfiles/Makefile.in
@@ -306,10 +306,9 @@ PNGICONS = \
@HAVE_CONVERSION_INKSCAPE_TRUE@convert_icons_process = \
@HAVE_CONVERSION_INKSCAPE_TRUE@s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
@HAVE_CONVERSION_INKSCAPE_TRUE@${INKSCAPE} \
-@HAVE_CONVERSION_INKSCAPE_TRUE@--without-gui \
@HAVE_CONVERSION_INKSCAPE_TRUE@--export-width=$${s} \
@HAVE_CONVERSION_INKSCAPE_TRUE@--export-height=$${s} \
-@HAVE_CONVERSION_INKSCAPE_TRUE@--export-png=$@ $<
+@HAVE_CONVERSION_INKSCAPE_TRUE@--export-filename=$@ $<
@HAVE_CONVERSION_RSVG_TRUE@convert_icons_process = \
@HAVE_CONVERSION_RSVG_TRUE@s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
index 7109952..b41f7d2 100644
--- a/tools/ddjvu.cpp
+++ b/tools/ddjvu.cpp
@@ -70,6 +70,7 @@
#include <locale.h>
#include <fcntl.h>
#include <errno.h>
+#include <stdint.h>
#ifdef UNIX
# include <sys/time.h>
@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
rowsize = rrect.w;
else
rowsize = rrect.w * 3;
- if (! (image = (char*)malloc(rowsize * rrect.h)))
+ if ((size_t)rowsize > SIZE_MAX / rrect.h)
+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
+ if (! (image = (char*)malloc((size_t)rowsize * rrect.h)))
die(i18n("Cannot allocate image buffer for page %d"), pageno);
/* Render */
diff --git a/libdjvu/DjVuText.cpp b/libdjvu/DjVuText.cpp
index 60a4f39..b11df7b 100644
--- a/libdjvu/DjVuText.cpp
+++ b/libdjvu/DjVuText.cpp
@@ -345,7 +345,8 @@ DjVuTXT::decode(const GP<ByteStream> &gbs)
int textsize = bs.read24();
char *buffer = textUTF8.getbuf(textsize);
int readsize = bs.read(buffer,textsize);
- buffer[readsize] = 0;
+ if (buffer)
+ buffer[readsize] = 0;
if (readsize < textsize)
G_THROW( ERR_MSG("DjVuText.corrupt_chunk") );
// Try reading zones
diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
index c2fdbe4..e271a1d 100644
--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
@@ -69,6 +69,7 @@
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
// - Author: Leon Bottou, 05/1997
@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
// initialize pixel array
if (nrows==0 || ncolumns==0)
G_THROW( ERR_MSG("GBitmap.not_init") );
+ if (ncolumns > USHRT_MAX - border)
+ G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
bytes_per_row = ncolumns + border;
if (runs==0)
G_THROW( ERR_MSG("GBitmap.null_arg") );
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment