nixpkgs/pkgs/applications/misc/djvulibre/CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch
Henri Rosten eeb19e9f25 djvulibre: patch multiple CVEs
Signed-off-by: Henri Rosten <henri.rosten@unikie.com>
2023-08-02 15:06:35 +03:00

105 lines
No EOL
4.3 KiB
Diff

From cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 Mon Sep 17 00:00:00 2001
From: Leon Bottou <leon@bottou.org>
Date: Tue, 11 May 2021 14:44:09 -0400
Subject: [PATCH] Reviewed Fedora patches and adopted some of them (or variants
thereof)
- Patch0: djvulibre-3.5.22-cdefs.patch (forward ported)
Does not make imuch sense. GSmartPointer.h already includes "stddef.h"
- Patch6: djvulibre-3.5.27-export-file.patch (forward ported)
Incorrect: inkscape command is --export-png, not --export-filename.
- Patch8: djvulibre-3.5.27-check-image-size.patch (forward ported)
Correct: adopted a variant of this
- Patch9: djvulibre-3.5.27-integer-overflow.patch (forward ported)
Correct: adopted a variant of this
- Patch10: djvulibre-3.5.27-check-input-pool.patch (forward ported)
Adopted: input validation never hurts
- Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported)
Dubious: Instead I changed djvufile to prevent a file from including itself
which is the only way I can imagine to create an file creation loop.
- Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported)
Adopted: but without including limits.h
---
libdjvu/DataPool.cpp | 3 ++-
libdjvu/DjVuFile.cpp | 2 ++
libdjvu/GBitmap.cpp | 2 ++
libdjvu/IW44Image.cpp | 4 ++++
tools/ddjvu.cpp | 7 +++++--
5 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
index 5fcbedf..b58fc45 100644
--- a/libdjvu/DataPool.cpp
+++ b/libdjvu/DataPool.cpp
@@ -790,7 +790,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
{
DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
DEBUG_MAKE_INDENT(3);
-
+ if (!pool)
+ G_THROW( ERR_MSG("DataPool.zero_DataPool") );
DataPool *xpool=new DataPool();
GP<DataPool> retval=xpool;
xpool->init();
diff --git a/libdjvu/DjVuFile.cpp b/libdjvu/DjVuFile.cpp
index 143346b..2587491 100644
--- a/libdjvu/DjVuFile.cpp
+++ b/libdjvu/DjVuFile.cpp
@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int file_num)
GURL incl_url=pcaster->id_to_url(this, incl_str);
if (incl_url.is_empty()) // Fallback. Should never be used.
incl_url=GURL::UTF8(incl_str,url.base());
+ if (incl_url == url) // Infinite loop avoidance
+ G_THROW( ERR_MSG("DjVuFile.malformed") );
// Now see if there is already a file with this *name* created
{
diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
index c2fdbe4..8ad64b2 100644
--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs)
// initialize pixel array
if (nrows==0 || ncolumns==0)
G_THROW( ERR_MSG("GBitmap.not_init") );
+ if (ncolumns + border != (unsigned short)(ncolumns+border))
+ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)");
bytes_per_row = ncolumns + border;
if (runs==0)
G_THROW( ERR_MSG("GBitmap.null_arg") );
diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
index e8d4b44..4a1797e 100644
--- a/libdjvu/IW44Image.cpp
+++ b/libdjvu/IW44Image.cpp
@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
// Allocate reconstruction buffer
short *data16;
size_t sz = bw * bh;
+ if (sz == 0)
+ G_THROW("IW44Image: image size is zero (corrupted file?)");
if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
GPBuffer<short> gdata16(data16,sz);
+ if (data16 == 0)
+ G_THROW("IW44Image: unable to allocate image buffer");
// Copy coefficients
int i;
short *p = data16;
diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
index 7109952..e7b489b 100644
--- a/tools/ddjvu.cpp
+++ b/tools/ddjvu.cpp
@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno)
} else if (style == DDJVU_FORMAT_GREY8)
rowsize = rrect.w;
else
- rowsize = rrect.w * 3;
- if (! (image = (char*)malloc(rowsize * rrect.h)))
+ rowsize = rrect.w * 3;
+ size_t bufsize = (size_t)rowsize * rrect.h;
+ if (bufsize / rowsize != rrect.h)
+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
+ if (! (image = (char*)malloc(bufsize)))
die(i18n("Cannot allocate image buffer for page %d"), pageno);
/* Render */