fix CVE-2021-32490 CVE-2021-32491 CVE-2021-32492

2021-06-30 16:04:56 +08:00 · 2021-06-30 16:04:56 +08:00 · 424b0606dd
commit 424b0606dd
parent d407c789f6
4 changed files with 57 additions and 4 deletions
--- a/CVE-2021-32490.patch
+++ b/CVE-2021-32490.patch
@ -0,0 +1,16 @@
+diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
+index e8d4b44..aa3d554 100644
+--- a/libdjvu/IW44Image.cpp
+++ b/libdjvu/IW44Image.cpp
+@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
+   size_t sz = bw * bh;
+   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+  if (sz == 0)
+    G_THROW("IW44Image: zero size image (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
+  if (data16 == NULL)
+    G_THROW("IW44Image: unable to allocate image data");
+   // Copy coefficients
+   int i;
+   short *p = data16;
--- a/CVE-2021-32491.patch
+++ b/CVE-2021-32491.patch
@ -0,0 +1,23 @@
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 7109952..b41f7d2 100644
+--- a/tools/ddjvu.cpp
+++ b/tools/ddjvu.cpp
+@@ -70,6 +70,7 @@
+ #include <locale.h>
+ #include <fcntl.h>
+ #include <errno.h>
+#include <cstdint>
+ 
+ #ifdef UNIX
+ # include <sys/time.h>
+@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
+     rowsize = rrect.w;
+   else
+     rowsize = rrect.w * 3; 
+-  if (! (image = (char*)malloc(rowsize * rrect.h)))
+  if ((size_t) rowsize > SIZE_MAX / rrect.h)
+    die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
+  if (! (image = (char*)malloc((size_t) rowsize * rrect.h)))
+     die(i18n("Cannot allocate image buffer for page %d"), pageno);
+ 
+   /* Render */
--- a/CVE-2021-32492.patch
+++ b/CVE-2021-32492.patch
@ -0,0 +1,13 @@
+diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
+index 5fcbedf..4c2eaf0 100644
+--- a/libdjvu/DataPool.cpp
+++ b/libdjvu/DataPool.cpp
+@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
+   DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
+   DEBUG_MAKE_INDENT(3);
+ 
+  if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
+
+   DataPool *xpool=new DataPool();
+   GP<DataPool> retval=xpool;
+   xpool->init();
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -12,8 +12,9 @@ Patch3:           CVE-2019-15144.patch
 Patch4:           CVE-2019-15145.patch
 Patch5:           CVE-2019-18804.patch
 Patch6:           update-any2djvu-server-hostname.patch
-Patch7:           CVE-2021-32493.patch
-Patch8:           CVE-2021-3500.patch
+Patch7:           CVE-2021-32490.patch
+Patch8:           CVE-2021-32491.patch
+Patch9:           CVE-2021-32492.patch
 Requires(post):   xdg-utils
 Requires(preun):  xdg-utils
 BuildRequires:    libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++
@ -96,8 +97,8 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || :
 %{_mandir}/man1/*

 %changelog
-* Wen Jun 30 2021 houyingchao <houyingchao@huawei.com> - 3.5.27-16
- Fix CVE-2021-32493 CVE-2021-3500
+* Wed Jun 30 2021 liwu<liwu13@huawei.com> - 3.5.27-16
+* fix CVE-2021-32490, CVE-2021-32491, CVE-2021-32492

 * Thu Jan 28 2021 lingsheng <lingsheng@huawei.com> - 3.5.27-15
 - update any2djvu server hostname