Merge pull request #74875 from d-goldin/djvulibre_sec_patches
This commit is contained in:
commit
484b469caf
7 changed files with 344 additions and 0 deletions
72
pkgs/applications/misc/djvulibre/CVE-2019-15142.patch
Normal file
72
pkgs/applications/misc/djvulibre/CVE-2019-15142.patch
Normal file
|
@ -0,0 +1,72 @@
|
|||
commit 970fb11a296b5bbdc5e8425851253d2c5913c45e
|
||||
Author: Leon Bottou <leon@bottou.org>
|
||||
Date: Tue Mar 26 20:36:31 2019 -0400
|
||||
|
||||
Fix bug#296
|
||||
|
||||
diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
|
||||
index a6a39e0..0a0fac6 100644
|
||||
--- a/libdjvu/DjVmDir.cpp
|
||||
+++ b/libdjvu/DjVmDir.cpp
|
||||
@@ -299,42 +299,44 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
|
||||
memcpy((char*) strings+strings_size, buffer, length);
|
||||
}
|
||||
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
|
||||
- if (strings[strings.size()-1] != 0)
|
||||
- {
|
||||
- int strings_size=strings.size();
|
||||
- strings.resize(strings_size+1);
|
||||
- strings[strings_size] = 0;
|
||||
- }
|
||||
+ int strings_size=strings.size();
|
||||
+ strings.resize(strings_size+3);
|
||||
+ memset((char*) strings+strings_size, 0, 4);
|
||||
|
||||
- // Copy names into the files
|
||||
+ // Copy names into the files
|
||||
const char * ptr=strings;
|
||||
for(pos=files_list;pos;++pos)
|
||||
{
|
||||
GP<File> file=files_list[pos];
|
||||
-
|
||||
+ if (ptr >= (const char*)strings + strings_size)
|
||||
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
|
||||
file->id=ptr;
|
||||
ptr+=file->id.length()+1;
|
||||
if (file->flags & File::HAS_NAME)
|
||||
{
|
||||
- file->name=ptr;
|
||||
- ptr+=file->name.length()+1;
|
||||
- } else
|
||||
+ file->name=ptr;
|
||||
+ ptr+=file->name.length()+1;
|
||||
+ }
|
||||
+ else
|
||||
{
|
||||
file->name=file->id;
|
||||
}
|
||||
if (file->flags & File::HAS_TITLE)
|
||||
{
|
||||
- file->title=ptr;
|
||||
- ptr+=file->title.length()+1;
|
||||
- } else
|
||||
- file->title=file->id;
|
||||
- /* msr debug: multipage file, file->title is null.
|
||||
+ file->title=ptr;
|
||||
+ ptr+=file->title.length()+1;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ file->title=file->id;
|
||||
+ }
|
||||
+ /* msr debug: multipage file, file->title is null.
|
||||
DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
|
||||
file->offset << ", " << file->size << ", " <<
|
||||
file->is_page() << "\n"); */
|
||||
}
|
||||
|
||||
- // Check that there is only one file with SHARED_ANNO flag on
|
||||
+ // Check that there is only one file with SHARED_ANNO flag on
|
||||
int shared_anno_cnt=0;
|
||||
for(pos=files_list;pos;++pos)
|
||||
{
|
39
pkgs/applications/misc/djvulibre/CVE-2019-15143.patch
Normal file
39
pkgs/applications/misc/djvulibre/CVE-2019-15143.patch
Normal file
|
@ -0,0 +1,39 @@
|
|||
commit b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f
|
||||
Author: Leon Bottou <leon@bottou.org>
|
||||
Date: Tue Mar 26 20:45:46 2019 -0400
|
||||
|
||||
fix for bug #297
|
||||
|
||||
diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
|
||||
index 0a0fac6..5a49015 100644
|
||||
--- a/libdjvu/DjVmDir.cpp
|
||||
+++ b/libdjvu/DjVmDir.cpp
|
||||
@@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
|
||||
{
|
||||
GP<File> file=files_list[pos];
|
||||
if (ptr >= (const char*)strings + strings_size)
|
||||
- G_THROW( "DjVu document is corrupted (DjVmDir)" );
|
||||
+ G_THROW( ByteStream::EndOfFile );
|
||||
file->id=ptr;
|
||||
ptr+=file->id.length()+1;
|
||||
if (file->flags & File::HAS_NAME)
|
||||
diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
|
||||
index 0e487f0..c2fdbe4 100644
|
||||
--- a/libdjvu/GBitmap.cpp
|
||||
+++ b/libdjvu/GBitmap.cpp
|
||||
@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
|
||||
int c = 0;
|
||||
while (n >= 0)
|
||||
{
|
||||
- bs.read(&h, 1);
|
||||
+ if (bs.read(&h, 1) <= 0)
|
||||
+ G_THROW( ByteStream::EndOfFile );
|
||||
int x = h;
|
||||
if (x >= (int)RUNOVERFLOWVALUE)
|
||||
{
|
||||
- bs.read(&h, 1);
|
||||
+ if (bs.read(&h, 1) <= 0)
|
||||
+ G_THROW( ByteStream::EndOfFile );
|
||||
x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
|
||||
}
|
||||
if (c+x > ncolumns)
|
111
pkgs/applications/misc/djvulibre/CVE-2019-15144.patch
Normal file
111
pkgs/applications/misc/djvulibre/CVE-2019-15144.patch
Normal file
|
@ -0,0 +1,111 @@
|
|||
commit e15d51510048927f172f1bf1f27ede65907d940d
|
||||
Author: Leon Bottou <leon@bottou.org>
|
||||
Date: Mon Apr 8 22:25:55 2019 -0400
|
||||
|
||||
bug 299 fixed
|
||||
|
||||
diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h
|
||||
index 96b067c..0140211 100644
|
||||
--- a/libdjvu/GContainer.h
|
||||
+++ b/libdjvu/GContainer.h
|
||||
@@ -550,52 +550,61 @@ public:
|
||||
template <class TYPE> void
|
||||
GArrayTemplate<TYPE>::sort(int lo, int hi)
|
||||
{
|
||||
- if (hi <= lo)
|
||||
- return;
|
||||
- if (hi > hibound || lo<lobound)
|
||||
- G_THROW( ERR_MSG("GContainer.illegal_subscript") );
|
||||
TYPE *data = (TYPE*)(*this);
|
||||
- // Test for insertion sort
|
||||
- if (hi <= lo + 50)
|
||||
+ while(true)
|
||||
{
|
||||
- for (int i=lo+1; i<=hi; i++)
|
||||
+ if (hi <= lo)
|
||||
+ return;
|
||||
+ if (hi > hibound || lo<lobound)
|
||||
+ G_THROW( ERR_MSG("GContainer.illegal_subscript") );
|
||||
+ // Test for insertion sort
|
||||
+ if (hi <= lo + 50)
|
||||
{
|
||||
- int j = i;
|
||||
- TYPE tmp = data[i];
|
||||
- while ((--j>=lo) && !(data[j]<=tmp))
|
||||
- data[j+1] = data[j];
|
||||
- data[j+1] = tmp;
|
||||
+ for (int i=lo+1; i<=hi; i++)
|
||||
+ {
|
||||
+ int j = i;
|
||||
+ TYPE tmp = data[i];
|
||||
+ while ((--j>=lo) && !(data[j]<=tmp))
|
||||
+ data[j+1] = data[j];
|
||||
+ data[j+1] = tmp;
|
||||
+ }
|
||||
+ return;
|
||||
}
|
||||
- return;
|
||||
- }
|
||||
- // -- determine suitable quick-sort pivot
|
||||
- TYPE tmp = data[lo];
|
||||
- TYPE pivot = data[(lo+hi)/2];
|
||||
- if (pivot <= tmp)
|
||||
- { tmp = pivot; pivot=data[lo]; }
|
||||
- if (data[hi] <= tmp)
|
||||
- { pivot = tmp; }
|
||||
- else if (data[hi] <= pivot)
|
||||
- { pivot = data[hi]; }
|
||||
- // -- partition set
|
||||
- int h = hi;
|
||||
- int l = lo;
|
||||
- while (l < h)
|
||||
- {
|
||||
- while (! (pivot <= data[l])) l++;
|
||||
- while (! (data[h] <= pivot)) h--;
|
||||
- if (l < h)
|
||||
+ // -- determine median-of-three pivot
|
||||
+ TYPE tmp = data[lo];
|
||||
+ TYPE pivot = data[(lo+hi)/2];
|
||||
+ if (pivot <= tmp)
|
||||
+ { tmp = pivot; pivot=data[lo]; }
|
||||
+ if (data[hi] <= tmp)
|
||||
+ { pivot = tmp; }
|
||||
+ else if (data[hi] <= pivot)
|
||||
+ { pivot = data[hi]; }
|
||||
+ // -- partition set
|
||||
+ int h = hi;
|
||||
+ int l = lo;
|
||||
+ while (l < h)
|
||||
{
|
||||
- tmp = data[l];
|
||||
- data[l] = data[h];
|
||||
- data[h] = tmp;
|
||||
- l = l+1;
|
||||
- h = h-1;
|
||||
+ while (! (pivot <= data[l])) l++;
|
||||
+ while (! (data[h] <= pivot)) h--;
|
||||
+ if (l < h)
|
||||
+ {
|
||||
+ tmp = data[l];
|
||||
+ data[l] = data[h];
|
||||
+ data[h] = tmp;
|
||||
+ l = l+1;
|
||||
+ h = h-1;
|
||||
+ }
|
||||
+ }
|
||||
+ // -- recurse, small partition first
|
||||
+ // tail-recursion elimination
|
||||
+ if (h - lo <= hi - l) {
|
||||
+ sort(lo,h);
|
||||
+ lo = l; // sort(l,hi)
|
||||
+ } else {
|
||||
+ sort(l,hi);
|
||||
+ hi = h; // sort(lo,h)
|
||||
}
|
||||
}
|
||||
- // -- recursively restart
|
||||
- sort(lo, h);
|
||||
- sort(l, hi);
|
||||
}
|
||||
|
||||
template<class TYPE> inline TYPE&
|
28
pkgs/applications/misc/djvulibre/CVE-2019-15145.patch
Normal file
28
pkgs/applications/misc/djvulibre/CVE-2019-15145.patch
Normal file
|
@ -0,0 +1,28 @@
|
|||
commit 9658b01431cd7ff6344d7787f855179e73fe81a7
|
||||
Author: Leon Bottou <leon@bottou.org>
|
||||
Date: Mon Apr 8 22:55:38 2019 -0400
|
||||
|
||||
fix bug #298
|
||||
|
||||
diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h
|
||||
index e8e0c9b..ca89a19 100644
|
||||
--- a/libdjvu/GBitmap.h
|
||||
+++ b/libdjvu/GBitmap.h
|
||||
@@ -566,7 +566,7 @@ GBitmap::operator[](int row)
|
||||
{
|
||||
if (!bytes)
|
||||
uncompress();
|
||||
- if (row<0 || row>=nrows) {
|
||||
+ if (row<0 || row>=nrows || !bytes) {
|
||||
#ifndef NDEBUG
|
||||
if (zerosize < bytes_per_row + border)
|
||||
G_THROW( ERR_MSG("GBitmap.zero_small") );
|
||||
@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const
|
||||
{
|
||||
if (!bytes)
|
||||
((GBitmap*)this)->uncompress();
|
||||
- if (row<0 || row>=nrows) {
|
||||
+ if (row<0 || row>=nrows || !bytes) {
|
||||
#ifndef NDEBUG
|
||||
if (zerosize < bytes_per_row + border)
|
||||
G_THROW( ERR_MSG("GBitmap.zero_small") );
|
32
pkgs/applications/misc/djvulibre/CVE-2019-18804.patch
Normal file
32
pkgs/applications/misc/djvulibre/CVE-2019-18804.patch
Normal file
|
@ -0,0 +1,32 @@
|
|||
commit c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125
|
||||
Author: Leon Bottou <leon@bottou.org>
|
||||
Date: Thu Oct 17 22:20:31 2019 -0400
|
||||
|
||||
Fixed bug 309
|
||||
|
||||
diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp
|
||||
index 00752a0..f81eaeb 100644
|
||||
--- a/libdjvu/IW44EncodeCodec.cpp
|
||||
+++ b/libdjvu/IW44EncodeCodec.cpp
|
||||
@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale)
|
||||
int y = 0;
|
||||
int s = scale*rowsize;
|
||||
int s3 = s+s+s;
|
||||
- h = ((h-1)/scale)+1;
|
||||
+ h = (h>0) ? ((h-1)/scale)+1 : 0;
|
||||
y += 1;
|
||||
p += s;
|
||||
while (y-3 < h)
|
||||
diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
|
||||
index 6d0df3b..7109952 100644
|
||||
--- a/tools/ddjvu.cpp
|
||||
+++ b/tools/ddjvu.cpp
|
||||
@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno)
|
||||
prect.h = (ih * 100) / dpi;
|
||||
}
|
||||
/* Process aspect ratio */
|
||||
- if (flag_aspect <= 0)
|
||||
+ if (flag_aspect <= 0 && iw>0 && ih>0)
|
||||
{
|
||||
double dw = (double)iw / prect.w;
|
||||
double dh = (double)ih / prect.h;
|
|
@ -24,6 +24,17 @@ stdenv.mkDerivation rec {
|
|||
libiconv
|
||||
];
|
||||
|
||||
patches = [
|
||||
./CVE-2019-18804.patch
|
||||
# This one is needed to make the following
|
||||
# two CVE patches apply cleanly
|
||||
./fix_hongfuzz_crash.patch
|
||||
./CVE-2019-15142.patch
|
||||
./CVE-2019-15143.patch
|
||||
./CVE-2019-15144.patch
|
||||
./CVE-2019-15145.patch
|
||||
];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "The big set of CLI tools to make/modify/optimize/show/export DJVU files";
|
||||
homepage = "http://djvu.sourceforge.net";
|
||||
|
|
51
pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch
Normal file
51
pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch
Normal file
|
@ -0,0 +1,51 @@
|
|||
commit 89d71b01d606e57ecec2c2930c145bb20ba5bbe3
|
||||
Author: Leon Bottou <leon@bottou.org>
|
||||
Date: Fri Jul 13 08:46:22 2018 -0400
|
||||
|
||||
fix hongfuzz crash.
|
||||
|
||||
diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
|
||||
index d322323..a6a39e0 100644
|
||||
--- a/libdjvu/DjVmDir.cpp
|
||||
+++ b/libdjvu/DjVmDir.cpp
|
||||
@@ -299,7 +299,13 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
|
||||
memcpy((char*) strings+strings_size, buffer, length);
|
||||
}
|
||||
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
|
||||
-
|
||||
+ if (strings[strings.size()-1] != 0)
|
||||
+ {
|
||||
+ int strings_size=strings.size();
|
||||
+ strings.resize(strings_size+1);
|
||||
+ strings[strings_size] = 0;
|
||||
+ }
|
||||
+
|
||||
// Copy names into the files
|
||||
const char * ptr=strings;
|
||||
for(pos=files_list;pos;++pos)
|
||||
diff --git a/libdjvu/miniexp.cpp b/libdjvu/miniexp.cpp
|
||||
index 6a5cd90..828addc 100644
|
||||
--- a/libdjvu/miniexp.cpp
|
||||
+++ b/libdjvu/miniexp.cpp
|
||||
@@ -1065,7 +1065,7 @@ print_c_string(const char *s, char *d, int flags, size_t len)
|
||||
c = (unsigned char)(*s++);
|
||||
if (char_quoted(c, flags))
|
||||
{
|
||||
- char buffer[10];
|
||||
+ char buffer[16]; /* 10+1 */
|
||||
static const char *tr1 = "\"\\tnrbf";
|
||||
static const char *tr2 = "\"\\\t\n\r\b\f";
|
||||
buffer[0] = buffer[1] = 0;
|
||||
diff --git a/tools/csepdjvu.cpp b/tools/csepdjvu.cpp
|
||||
index 7ed13ad..fab9472 100644
|
||||
--- a/tools/csepdjvu.cpp
|
||||
+++ b/tools/csepdjvu.cpp
|
||||
@@ -1834,7 +1834,7 @@ main(int argc, const char **argv)
|
||||
ByteStream::create(GURL::Filename::UTF8(arg),"rb");
|
||||
BufferByteStream ibs(*fbs);
|
||||
do {
|
||||
- char pagename[16];
|
||||
+ char pagename[20];
|
||||
sprintf(pagename, "p%04d.djvu", ++pageno);
|
||||
if (opts.verbose > 1)
|
||||
DjVuPrintErrorUTF8("%s","--------------------\n");
|
Loading…
Reference in a new issue