diff --git a/CVE-2019-15142.patch b/CVE-2019-15142.patch new file mode 100644 index 0000000..c3cb020 --- /dev/null +++ b/CVE-2019-15142.patch @@ -0,0 +1,35 @@ +From 970fb11a296b5bbdc5e8425851253d2c5913c45e Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Tue, 26 Mar 2019 20:36:31 -0400 +Subject: [PATCH] Fix bug#296 + +--- + libdjvu/DjVmDir.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index 153e3c7..5834da6 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -300,6 +300,9 @@ DjVmDir::decode(const GP &gstr) + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); ++ int strings_size=strings.size(); ++ strings.resize(strings_size+3); ++ memset((char*) strings+strings_size, 0, 4); + + // Copy names into the files + const char * ptr=strings; +@@ -307,6 +310,8 @@ DjVmDir::decode(const GP &gstr) + { + GP file=files_list[pos]; + ++ if (ptr >= (const char*)strings + strings_size) ++ G_THROW( "DjVu document is corrupted (DjVmDir)" ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) +-- +2.23.0 + diff --git a/CVE-2019-15143.patch b/CVE-2019-15143.patch new file mode 100644 index 0000000..015dd8f --- /dev/null +++ b/CVE-2019-15143.patch @@ -0,0 +1,46 @@ +From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Tue, 26 Mar 2019 20:45:46 -0400 +Subject: [PATCH] fix for bug #297 + +--- + libdjvu/DjVmDir.cpp | 2 +- + libdjvu/GBitmap.cpp | 6 ++++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index 0a0fac6..5a49015 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -309,7 +309,7 @@ DjVmDir::decode(const GP &gstr) + GP file=files_list[pos]; + + if (ptr >= (const char*)strings + strings_size) +- G_THROW( "DjVu document is corrupted (DjVmDir)" ); ++ G_THROW( ByteStream::EndOfFile ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index 0e487f0..c2fdbe4 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) + int c = 0; + while (n >= 0) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + int x = h; + if (x >= (int)RUNOVERFLOWVALUE) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); + } + if (c+x > ncolumns) +-- +2.23.0 + diff --git a/CVE-2019-15144.patch b/CVE-2019-15144.patch new file mode 100644 index 0000000..6798076 --- /dev/null +++ b/CVE-2019-15144.patch @@ -0,0 +1,111 @@ +From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:25:55 -0400 +Subject: bug 299 fixed + + +diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h +index 96b067c..0140211 100644 +--- a/libdjvu/GContainer.h ++++ b/libdjvu/GContainer.h +@@ -550,52 +550,61 @@ public: + template void + GArrayTemplate::sort(int lo, int hi) + { +- if (hi <= lo) +- return; +- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) +- data[j+1] = data[j]; +- data[j+1] = tmp; ++ for (int i=lo+1; i<=hi; i++) ++ { ++ int j = i; ++ TYPE tmp = data[i]; ++ while ((--j>=lo) && !(data[j]<=tmp)) ++ data[j+1] = data[j]; ++ data[j+1] = tmp; ++ } ++ return; + } +- return; +- } +- // -- determine suitable quick-sort pivot +- TYPE tmp = data[lo]; +- TYPE pivot = data[(lo+hi)/2]; +- if (pivot <= tmp) +- { tmp = pivot; pivot=data[lo]; } +- if (data[hi] <= tmp) +- { pivot = tmp; } +- else if (data[hi] <= pivot) +- { pivot = data[hi]; } +- // -- partition set +- int h = hi; +- int l = lo; +- while (l < h) +- { +- while (! (pivot <= data[l])) l++; +- while (! (data[h] <= pivot)) h--; +- if (l < h) ++ // -- determine median-of-three pivot ++ TYPE tmp = data[lo]; ++ TYPE pivot = data[(lo+hi)/2]; ++ if (pivot <= tmp) ++ { tmp = pivot; pivot=data[lo]; } ++ if (data[hi] <= tmp) ++ { pivot = tmp; } ++ else if (data[hi] <= pivot) ++ { pivot = data[hi]; } ++ // -- partition set ++ int h = hi; ++ int l = lo; ++ while (l < h) + { +- tmp = data[l]; +- data[l] = data[h]; +- data[h] = tmp; +- l = l+1; +- h = h-1; ++ while (! (pivot <= data[l])) l++; ++ while (! (data[h] <= pivot)) h--; ++ if (l < h) ++ { ++ tmp = data[l]; ++ data[l] = data[h]; ++ data[h] = tmp; ++ l = l+1; ++ h = h-1; ++ } ++ } ++ // -- recurse, small partition first ++ // tail-recursion elimination ++ if (h - lo <= hi - l) { ++ sort(lo,h); ++ lo = l; // sort(l,hi) ++ } else { ++ sort(l,hi); ++ hi = h; // sort(lo,h) + } + } +- // -- recursively restart +- sort(lo, h); +- sort(l, hi); + } + + template inline TYPE& diff --git a/CVE-2019-15145.patch b/CVE-2019-15145.patch new file mode 100644 index 0000000..144c8eb --- /dev/null +++ b/CVE-2019-15145.patch @@ -0,0 +1,27 @@ +From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:55:38 -0400 +Subject: fix bug #298 + +diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h +index e8e0c9b..ca89a19 100644 +--- a/libdjvu/GBitmap.h ++++ b/libdjvu/GBitmap.h +@@ -566,7 +566,7 @@ GBitmap::operator[](int row) + { + if (!bytes) + uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const + { + if (!bytes) + ((GBitmap*)this)->uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); diff --git a/CVE-2019-18804.patch b/CVE-2019-18804.patch new file mode 100644 index 0000000..a881a21 --- /dev/null +++ b/CVE-2019-18804.patch @@ -0,0 +1,36 @@ +From c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Thu, 17 Oct 2019 22:20:31 -0400 +Subject: [PATCH 1/2] Fixed bug 309 + +--- + libdjvu/IW44EncodeCodec.cpp | 2 +- + tools/ddjvu.cpp| 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp +index 00752a0..f81eaeb 100644 +--- a/libdjvu/IW44EncodeCodec.cpp ++++ b/libdjvu/IW44EncodeCodec.cpp +@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) + int y = 0; + int s = scale*rowsize; + int s3 = s+s+s; +- h = ((h-1)/scale)+1; ++ h = (h>0) ? ((h-1)/scale)+1 : 0; + y += 1; + p += s; + while (y-3 < h) +diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp +index 6d0df3b..7109952 100644 +--- a/tools/ddjvu.cpp ++++ b/tools/ddjvu.cpp +@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) + prect.h = (ih * 100) / dpi; + } + /* Process aspect ratio */ +- if (flag_aspect <= 0) ++ if (flag_aspect <= 0 && iw>0 && ih>0) + { + double dw = (double)iw / prect.w; + double dh = (double)ih / prect.h; diff --git a/djvulibre.spec b/djvulibre.spec index 012c895..712196e 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -1,11 +1,16 @@ Name: djvulibre Summary: An open source (GPL'ed) implementation of DjVu Version: 3.5.27 -Release: 13 +Release: 14 License: GPLv2+ URL: http://djvu.sourceforge.net/ Source0: http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz Patch0: djvulibre-3.5.22-cdefs.patch +Patch1: CVE-2019-15142.patch +Patch2: CVE-2019-15143.patch +Patch3: CVE-2019-15144.patch +Patch4: CVE-2019-15145.patch +Patch5: CVE-2019-18804.patch Requires(post): xdg-utils Requires(preun): xdg-utils BuildRequires: libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++ @@ -88,6 +93,9 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || : %{_mandir}/man1/* %changelog +* Mon Jan 4 2021 zhanghua - 3.5.27-14 +- fix CVE-2019-15142, CVE-2019-15143, CVE-2019-15144, CVE-2019-15145, CVE-2019-18804 + * Sun Sep 20 2020 yanan li - 3.5.27-13 - delete %preun