pkgs/applications/misc/djvulibre/CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch

   1 From cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 Mon Sep 17 00:00:00 2001
   2 From: Leon Bottou <leon@bottou.org>
   3 Date: Tue, 11 May 2021 14:44:09 -0400
   4 Subject: [PATCH] Reviewed Fedora patches and adopted some of them (or variants
   5  thereof)
   6
   7  - Patch0: djvulibre-3.5.22-cdefs.patch                  (forward ported)
   8 Does not make imuch sense. GSmartPointer.h already includes "stddef.h"
   9  - Patch6: djvulibre-3.5.27-export-file.patch              (forward ported)
  10 Incorrect: inkscape command is --export-png, not --export-filename.
  11  - Patch8: djvulibre-3.5.27-check-image-size.patch         (forward ported)
  12 Correct: adopted a variant of this
  13  - Patch9: djvulibre-3.5.27-integer-overflow.patch         (forward ported)
  14 Correct: adopted a variant of this
  15  - Patch10: djvulibre-3.5.27-check-input-pool.patch        (forward ported)
  16 Adopted: input validation never hurts
  17  - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported)
  18 Dubious: Instead I changed djvufile to prevent a file from including itself
  19 which is the only way I can imagine to create an file creation loop.
  20  - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported)
  21 Adopted: but without including limits.h
  22 ---
  23  libdjvu/DataPool.cpp  | 3 ++-
  24  libdjvu/DjVuFile.cpp  | 2 ++
  25  libdjvu/GBitmap.cpp   | 2 ++
  26  libdjvu/IW44Image.cpp | 4 ++++
  27  tools/ddjvu.cpp       | 7 +++++--
  28  5 files changed, 15 insertions(+), 3 deletions(-)
  29
  30 diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
  31 index 5fcbedf..b58fc45 100644
  32 --- a/libdjvu/DataPool.cpp
  33 +++ b/libdjvu/DataPool.cpp
  34 @@ -790,7 +790,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
  35  {
  36    DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
  37    DEBUG_MAKE_INDENT(3);
  38 -
  39 +  if (!pool)
  40 +    G_THROW( ERR_MSG("DataPool.zero_DataPool") );
  41    DataPool *xpool=new DataPool();
  42    GP<DataPool> retval=xpool;
  43    xpool->init();
  44 diff --git a/libdjvu/DjVuFile.cpp b/libdjvu/DjVuFile.cpp
  45 index 143346b..2587491 100644
  46 --- a/libdjvu/DjVuFile.cpp
  47 +++ b/libdjvu/DjVuFile.cpp
  48 @@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int file_num)
  49      GURL incl_url=pcaster->id_to_url(this, incl_str);
  50      if (incl_url.is_empty())   // Fallback. Should never be used.
  51        incl_url=GURL::UTF8(incl_str,url.base());
  52 +    if (incl_url == url)        // Infinite loop avoidance
  53 +      G_THROW( ERR_MSG("DjVuFile.malformed") );
  54
  55      // Now see if there is already a file with this *name* created
  56      {
  57 diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
  58 index c2fdbe4..8ad64b2 100644
  59 --- a/libdjvu/GBitmap.cpp
  60 +++ b/libdjvu/GBitmap.cpp
  61 @@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs)
  62    // initialize pixel array
  63    if (nrows==0 || ncolumns==0)
  64      G_THROW( ERR_MSG("GBitmap.not_init") );
  65 +  if (ncolumns + border != (unsigned short)(ncolumns+border))
  66 +    G_THROW("GBitmap: image size exceeds maximum (corrupted file?)");
  67    bytes_per_row = ncolumns + border;
  68    if (runs==0)
  69      G_THROW( ERR_MSG("GBitmap.null_arg") );
  70 diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
  71 index e8d4b44..4a1797e 100644
  72 --- a/libdjvu/IW44Image.cpp
  73 +++ b/libdjvu/IW44Image.cpp
  74 @@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
  75    // Allocate reconstruction buffer
  76    short *data16;
  77    size_t sz = bw * bh;
  78 +  if (sz == 0)
  79 +    G_THROW("IW44Image: image size is zero (corrupted file?)");
  80    if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
  81      G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
  82    GPBuffer<short> gdata16(data16,sz);
  83 +  if (data16 == 0)
  84 +    G_THROW("IW44Image: unable to allocate image buffer");
  85    // Copy coefficients
  86    int i;
  87    short *p = data16;
  88 diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
  89 index 7109952..e7b489b 100644
  90 --- a/tools/ddjvu.cpp
  91 +++ b/tools/ddjvu.cpp
  92 @@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno)
  93    } else if (style == DDJVU_FORMAT_GREY8)
  94      rowsize = rrect.w;
  95    else
  96 -    rowsize = rrect.w * 3;
  97 -  if (! (image = (char*)malloc(rowsize * rrect.h)))
  98 +    rowsize = rrect.w * 3;
  99 +  size_t bufsize = (size_t)rowsize * rrect.h;
 100 +  if (bufsize / rowsize != rrect.h)
 101 +    die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
 102 +  if (! (image = (char*)malloc(bufsize)))
 103      die(i18n("Cannot allocate image buffer for page %d"), pageno);
 104
 105    /* Render */