From a782ccd218e9e4bc79b7bb181c9728b19ed4b1f9 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Wed, 13 Sep 2023 10:43:27 +0800 Subject: [PATCH] Fix CVE-2021-46310,CVE-2021-46312 --- CVE-2021-46310.patch | 19 +++++++++++++++++++ CVE-2021-46312.patch | 20 ++++++++++++++++++++ djvulibre.spec | 7 ++++++- 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-46310.patch create mode 100644 CVE-2021-46312.patch diff --git a/CVE-2021-46310.patch b/CVE-2021-46310.patch new file mode 100644 index 0000000..75a269c --- /dev/null +++ b/CVE-2021-46310.patch @@ -0,0 +1,19 @@ +Origin: https://sourceforge.net/p/djvu/bugs/345/ + +Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp +=================================================================== +--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp ++++ djvulibre-3.5.28/libdjvu/IW44Image.cpp +@@ -676,10 +676,10 @@ IW44Image::Map::image(signed char *img8, + // Allocate reconstruction buffer + short *data16; + size_t sz = bw * bh; ++ if (sz == 0) // bw or bh is zero ++ G_THROW("IW44Image: zero size image (corrupted file?)"); + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); +- if (sz == 0) +- G_THROW("IW44Image: zero size image (corrupted file?)"); + GPBuffer gdata16(data16,sz); + if (data16 == NULL) + G_THROW("IW44Image: unable to allocate image data"); diff --git a/CVE-2021-46312.patch b/CVE-2021-46312.patch new file mode 100644 index 0000000..b6c2374 --- /dev/null +++ b/CVE-2021-46312.patch @@ -0,0 +1,20 @@ +Origin: https://sourceforge.net/p/djvu/bugs/344/ + +Index: djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp +=================================================================== +--- djvulibre-3.5.28.orig/libdjvu/IW44EncodeCodec.cpp ++++ djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp +@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm + int h = bm.rows(); + int g = bm.get_grays()-1; + signed char *buffer; +- GPBuffer gbuffer(buffer,w*h); ++ size_t sz = w * h; ++ if (sz == 0 || g <= 0) // w or h is zero or g is not positive ++ G_THROW("IWBitmap: zero size image (corrupted file?)"); ++ if (sz / (size_t)w != (size_t)h) // multiplication overflow ++ G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)"); ++ GPBuffer gbuffer(buffer,sz); + // Prepare gray level conversion table + signed char bconv[256]; + for (i=0; i<256; i++) diff --git a/djvulibre.spec b/djvulibre.spec index a151e59..edf7b99 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -1,7 +1,7 @@ Name: djvulibre Summary: An open source (GPL'ed) implementation of DjVu Version: 3.5.27 -Release: 18 +Release: 19 License: GPLv2+ URL: http://djvu.sourceforge.net/ Source0: http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz @@ -18,6 +18,8 @@ Patch9: CVE-2021-32492.patch Patch10: CVE-2021-32493.patch Patch11: CVE-2021-3500.patch Patch12: CVE-2021-3630.patch +Patch13: CVE-2021-46310.patch +Patch14: CVE-2021-46312.patch Requires(post): xdg-utils Requires(preun): xdg-utils @@ -101,6 +103,9 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || : %{_mandir}/man1/* %changelog +* Wed Sep 13 2023 wangkai <13474090681@163.com> - 3.5.27-19 +- Fix CVE-2021-46310,CVE-2021-46312 + * Wed Jul 07 2021 wangyue - 3.5.27-18 - Fix CVE-2021-3630