fix CVE-2019-15142, CVE-2019-15143, CVE-2019-15144, CVE-2019-15145, CVE-2019-18804

2021-01-04 10:02:14 +08:00 · 2021-01-04 10:02:14 +08:00 · 52e3b7e200
commit 52e3b7e200
parent ea0b8b1d31
6 changed files with 264 additions and 1 deletions
--- a/CVE-2019-15142.patch
+++ b/CVE-2019-15142.patch
@ -0,0 +1,35 @@
+From 970fb11a296b5bbdc5e8425851253d2c5913c45e Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Tue, 26 Mar 2019 20:36:31 -0400
+Subject: [PATCH] Fix bug#296
+
+---
+ libdjvu/DjVmDir.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
+index 153e3c7..5834da6 100644
+--- a/libdjvu/DjVmDir.cpp
+++ b/libdjvu/DjVmDir.cpp
+@@ -300,6 +300,9 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
+          memcpy((char*) strings+strings_size, buffer, length);
+       }
+       DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
+      int strings_size=strings.size();
+      strings.resize(strings_size+3);
+      memset((char*) strings+strings_size, 0, 4);
+    
+          // Copy names into the files
+       const char * ptr=strings;
+@@ -307,6 +310,8 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
+       {
+          GP<File> file=files_list[pos];
+ 
+         if (ptr >= (const char*)strings + strings_size)
+           G_THROW( "DjVu document is corrupted (DjVmDir)" );
+          file->id=ptr;
+          ptr+=file->id.length()+1;
+          if (file->flags & File::HAS_NAME)
+-- 
+2.23.0
+
--- a/CVE-2019-15143.patch
+++ b/CVE-2019-15143.patch
@ -0,0 +1,46 @@
+From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Tue, 26 Mar 2019 20:45:46 -0400
+Subject: [PATCH] fix for bug #297
+
+---
+ libdjvu/DjVmDir.cpp | 2 +-
+ libdjvu/GBitmap.cpp | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
+index 0a0fac6..5a49015 100644
+--- a/libdjvu/DjVmDir.cpp
+++ b/libdjvu/DjVmDir.cpp
+@@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
+          GP<File> file=files_list[pos];
+ 
+          if (ptr >= (const char*)strings + strings_size)
+-           G_THROW( "DjVu document is corrupted (DjVmDir)" );
+           G_THROW( ByteStream::EndOfFile );
+          file->id=ptr;
+          ptr+=file->id.length()+1;
+          if (file->flags & File::HAS_NAME)
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index 0e487f0..c2fdbe4 100644
+--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
+@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
+   int c = 0;
+   while (n >= 0)
+     {
+-      bs.read(&h, 1);
+      if (bs.read(&h, 1) <= 0)
+        G_THROW( ByteStream::EndOfFile );
+       int x = h;
+       if (x >= (int)RUNOVERFLOWVALUE)
+         {
+-          bs.read(&h, 1);
+          if (bs.read(&h, 1) <= 0)
+            G_THROW( ByteStream::EndOfFile );
+           x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
+         }
+       if (c+x > ncolumns)
+-- 
+2.23.0
+
--- a/CVE-2019-15144.patch
+++ b/CVE-2019-15144.patch
@ -0,0 +1,111 @@
+From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Mon, 8 Apr 2019 22:25:55 -0400
+Subject: bug 299 fixed
+
+
+diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h
+index 96b067c..0140211 100644
+--- a/libdjvu/GContainer.h
+++ b/libdjvu/GContainer.h
+@@ -550,52 +550,61 @@ public:
+ template <class TYPE> void
+ GArrayTemplate<TYPE>::sort(int lo, int hi)
+ {
+-  if (hi <= lo)
+-    return;
+-  if (hi > hibound || lo<lobound)
+-    G_THROW( ERR_MSG("GContainer.illegal_subscript") );
+   TYPE *data = (TYPE*)(*this);
+-  // Test for insertion sort
+-  if (hi <= lo + 50)
+  while(true)
+     {
+-      for (int i=lo+1; i<=hi; i++)
+      if (hi <= lo)
+        return;
+      if (hi > hibound || lo<lobound)
+        G_THROW( ERR_MSG("GContainer.illegal_subscript") );
+      // Test for insertion sort
+      if (hi <= lo + 50)
+         {
+-          int j = i;
+-          TYPE tmp = data[i];
+-          while ((--j>=lo) && !(data[j]<=tmp))
+-            data[j+1] = data[j];
+-          data[j+1] = tmp;
+          for (int i=lo+1; i<=hi; i++)
+            {
+              int j = i;
+              TYPE tmp = data[i];
+              while ((--j>=lo) && !(data[j]<=tmp))
+                data[j+1] = data[j];
+              data[j+1] = tmp;
+            }
+          return;
+         }
+-      return;
+-    }
+-  // -- determine suitable quick-sort pivot
+-  TYPE tmp = data[lo];
+-  TYPE pivot = data[(lo+hi)/2];
+-  if (pivot <= tmp)
+-    { tmp = pivot; pivot=data[lo]; }
+-  if (data[hi] <= tmp)
+-    { pivot = tmp; }
+-  else if (data[hi] <= pivot)
+-    { pivot = data[hi]; }
+-  // -- partition set
+-  int h = hi;
+-  int l = lo;
+-  while (l < h)
+-    {
+-      while (! (pivot <= data[l])) l++;
+-      while (! (data[h] <= pivot)) h--;
+-      if (l < h)
+      // -- determine median-of-three pivot
+      TYPE tmp = data[lo];
+      TYPE pivot = data[(lo+hi)/2];
+      if (pivot <= tmp)
+        { tmp = pivot; pivot=data[lo]; }
+      if (data[hi] <= tmp)
+        { pivot = tmp; }
+      else if (data[hi] <= pivot)
+        { pivot = data[hi]; }
+      // -- partition set
+      int h = hi;
+      int l = lo;
+      while (l < h)
+         {
+-          tmp = data[l];
+-          data[l] = data[h];
+-          data[h] = tmp;
+-          l = l+1;
+-          h = h-1;
+          while (! (pivot <= data[l])) l++;
+          while (! (data[h] <= pivot)) h--;
+          if (l < h)
+            {
+              tmp = data[l];
+              data[l] = data[h];
+              data[h] = tmp;
+              l = l+1;
+              h = h-1;
+            }
+        }
+      // -- recurse, small partition first
+      //    tail-recursion elimination
+      if (h - lo <= hi - l) {
+        sort(lo,h);
+        lo = l; // sort(l,hi)
+      } else {
+        sort(l,hi);
+        hi = h; // sort(lo,h)
+       }
+     }
+-  // -- recursively restart
+-  sort(lo, h);
+-  sort(l, hi);
+ }
+ 
+ template<class TYPE> inline TYPE&
--- a/CVE-2019-15145.patch
+++ b/CVE-2019-15145.patch
@ -0,0 +1,27 @@
+From 9658b01431cd7ff6344d7787f855179e73fe81a7 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Mon, 8 Apr 2019 22:55:38 -0400
+Subject: fix bug #298
+
+diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h
+index e8e0c9b..ca89a19 100644
+--- a/libdjvu/GBitmap.h
+++ b/libdjvu/GBitmap.h
+@@ -566,7 +566,7 @@ GBitmap::operator[](int row)
+ {
+   if (!bytes) 
+     uncompress();
+-  if (row<0 || row>=nrows) {
+  if (row<0 || row>=nrows || !bytes) {
+ #ifndef NDEBUG
+     if (zerosize < bytes_per_row + border)
+       G_THROW( ERR_MSG("GBitmap.zero_small") );
+@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const
+ {
+   if (!bytes) 
+     ((GBitmap*)this)->uncompress();
+-  if (row<0 || row>=nrows) {
+  if (row<0 || row>=nrows || !bytes) {
+ #ifndef NDEBUG
+     if (zerosize < bytes_per_row + border)
+       G_THROW( ERR_MSG("GBitmap.zero_small") );
--- a/CVE-2019-18804.patch
+++ b/CVE-2019-18804.patch
@ -0,0 +1,36 @@
+From c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Thu, 17 Oct 2019 22:20:31 -0400
+Subject: [PATCH 1/2] Fixed bug 309
+
+---
+ libdjvu/IW44EncodeCodec.cpp | 2 +-
+ tools/ddjvu.cpp| 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp
+index 00752a0..f81eaeb 100644
+--- a/libdjvu/IW44EncodeCodec.cpp
+++ b/libdjvu/IW44EncodeCodec.cpp
+@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale)
+   int y = 0;
+   int s = scale*rowsize;
+   int s3 = s+s+s;
+-  h = ((h-1)/scale)+1;
+  h = (h>0) ? ((h-1)/scale)+1 : 0;
+   y += 1;
+   p += s;
+   while (y-3 < h)
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 6d0df3b..7109952 100644
+--- a/tools/ddjvu.cpp
+++ b/tools/ddjvu.cpp
+@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno)
+       prect.h = (ih * 100) / dpi;
+     }
+   /* Process aspect ratio */
+-  if (flag_aspect <= 0)
+  if (flag_aspect <= 0 && iw>0 && ih>0)
+     {
+       double dw = (double)iw / prect.w;
+       double dh = (double)ih / prect.h;
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -1,11 +1,16 @@
 Name:             djvulibre
 Summary:          An open source (GPL'ed) implementation of DjVu
 Version:          3.5.27
-Release:          13
+Release:          14
 License:          GPLv2+
 URL:              http://djvu.sourceforge.net/
 Source0:          http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz
 Patch0:           djvulibre-3.5.22-cdefs.patch
+Patch1:           CVE-2019-15142.patch
+Patch2:           CVE-2019-15143.patch
+Patch3:           CVE-2019-15144.patch
+Patch4:           CVE-2019-15145.patch
+Patch5:           CVE-2019-18804.patch
 Requires(post):   xdg-utils
 Requires(preun):  xdg-utils
 BuildRequires:    libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++
@ -88,6 +93,9 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || :
 %{_mandir}/man1/*

 %changelog
+* Mon Jan 4 2021 zhanghua <zhanghua40@huawei.com> - 3.5.27-14
+- fix CVE-2019-15142, CVE-2019-15143, CVE-2019-15144, CVE-2019-15145, CVE-2019-18804
+
 * Sun Sep 20 2020 yanan li <liyanan032@huawei.com> - 3.5.27-13
 - delete %preun