nixpkgs/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch

72 lines
2.3 KiB
Diff

commit 970fb11a296b5bbdc5e8425851253d2c5913c45e
Author: Leon Bottou <leon@bottou.org>
Date: Tue Mar 26 20:36:31 2019 -0400
Fix bug#296
diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
index a6a39e0..0a0fac6 100644
--- a/libdjvu/DjVmDir.cpp
+++ b/libdjvu/DjVmDir.cpp
@@ -299,42 +299,44 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
memcpy((char*) strings+strings_size, buffer, length);
}
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
- if (strings[strings.size()-1] != 0)
- {
- int strings_size=strings.size();
- strings.resize(strings_size+1);
- strings[strings_size] = 0;
- }
+ int strings_size=strings.size();
+ strings.resize(strings_size+3);
+ memset((char*) strings+strings_size, 0, 4);
- // Copy names into the files
+ // Copy names into the files
const char * ptr=strings;
for(pos=files_list;pos;++pos)
{
GP<File> file=files_list[pos];
-
+ if (ptr >= (const char*)strings + strings_size)
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
file->id=ptr;
ptr+=file->id.length()+1;
if (file->flags & File::HAS_NAME)
{
- file->name=ptr;
- ptr+=file->name.length()+1;
- } else
+ file->name=ptr;
+ ptr+=file->name.length()+1;
+ }
+ else
{
file->name=file->id;
}
if (file->flags & File::HAS_TITLE)
{
- file->title=ptr;
- ptr+=file->title.length()+1;
- } else
- file->title=file->id;
- /* msr debug: multipage file, file->title is null.
+ file->title=ptr;
+ ptr+=file->title.length()+1;
+ }
+ else
+ {
+ file->title=file->id;
+ }
+ /* msr debug: multipage file, file->title is null.
DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
file->offset << ", " << file->size << ", " <<
file->is_page() << "\n"); */
}
- // Check that there is only one file with SHARED_ANNO flag on
+ // Check that there is only one file with SHARED_ANNO flag on
int shared_anno_cnt=0;
for(pos=files_list;pos;++pos)
{