From 424b0606dd7d63034cf110556c26e1c7ad4660fe Mon Sep 17 00:00:00 2001 From: programmer12 <964969108@qq.com> Date: Wed, 30 Jun 2021 16:04:56 +0800 Subject: [PATCH] fix CVE-2021-32490 CVE-2021-32491 CVE-2021-32492 --- CVE-2021-32490.patch | 16 ++++++++++++++++ CVE-2021-32491.patch | 23 +++++++++++++++++++++++ CVE-2021-32492.patch | 13 +++++++++++++ djvulibre.spec | 9 +++++---- 4 files changed, 57 insertions(+), 4 deletions(-) create mode 100644 CVE-2021-32490.patch create mode 100644 CVE-2021-32491.patch create mode 100644 CVE-2021-32492.patch diff --git a/CVE-2021-32490.patch b/CVE-2021-32490.patch new file mode 100644 index 0000000..9d0d5b8 --- /dev/null +++ b/CVE-2021-32490.patch @@ -0,0 +1,16 @@ +diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp +index e8d4b44..aa3d554 100644 +--- a/libdjvu/IW44Image.cpp ++++ b/libdjvu/IW44Image.cpp +@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast) + size_t sz = bw * bh; + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); ++ if (sz == 0) ++ G_THROW("IW44Image: zero size image (corrupted file?)"); + GPBuffer gdata16(data16,sz); ++ if (data16 == NULL) ++ G_THROW("IW44Image: unable to allocate image data"); + // Copy coefficients + int i; + short *p = data16; diff --git a/CVE-2021-32491.patch b/CVE-2021-32491.patch new file mode 100644 index 0000000..7d86a2f --- /dev/null +++ b/CVE-2021-32491.patch @@ -0,0 +1,23 @@ +diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp +index 7109952..b41f7d2 100644 +--- a/tools/ddjvu.cpp ++++ b/tools/ddjvu.cpp +@@ -70,6 +70,7 @@ + #include + #include + #include ++#include + + #ifdef UNIX + # include +@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno) + rowsize = rrect.w; + else + rowsize = rrect.w * 3; +- if (! (image = (char*)malloc(rowsize * rrect.h))) ++ if ((size_t) rowsize > SIZE_MAX / rrect.h) ++ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); ++ if (! (image = (char*)malloc((size_t) rowsize * rrect.h))) + die(i18n("Cannot allocate image buffer for page %d"), pageno); + + /* Render */ diff --git a/CVE-2021-32492.patch b/CVE-2021-32492.patch new file mode 100644 index 0000000..26e08e9 --- /dev/null +++ b/CVE-2021-32492.patch @@ -0,0 +1,13 @@ +diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp +index 5fcbedf..4c2eaf0 100644 +--- a/libdjvu/DataPool.cpp ++++ b/libdjvu/DataPool.cpp +@@ -791,6 +791,8 @@ DataPool::create(const GP & pool, int start, int length) + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); + DEBUG_MAKE_INDENT(3); + ++ if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") ); ++ + DataPool *xpool=new DataPool(); + GP retval=xpool; + xpool->init(); diff --git a/djvulibre.spec b/djvulibre.spec index 200ad7a..ef4cbb2 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -12,8 +12,9 @@ Patch3: CVE-2019-15144.patch Patch4: CVE-2019-15145.patch Patch5: CVE-2019-18804.patch Patch6: update-any2djvu-server-hostname.patch -Patch7: CVE-2021-32493.patch -Patch8: CVE-2021-3500.patch +Patch7: CVE-2021-32490.patch +Patch8: CVE-2021-32491.patch +Patch9: CVE-2021-32492.patch Requires(post): xdg-utils Requires(preun): xdg-utils BuildRequires: libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++ @@ -96,8 +97,8 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || : %{_mandir}/man1/* %changelog -* Wen Jun 30 2021 houyingchao - 3.5.27-16 -- Fix CVE-2021-32493 CVE-2021-3500 +* Wed Jun 30 2021 liwu - 3.5.27-16 +* fix CVE-2021-32490, CVE-2021-32491, CVE-2021-32492 * Thu Jan 28 2021 lingsheng - 3.5.27-15 - update any2djvu server hostname