!19 fix CVE-2021-32493 CVE-2021-3500

From: @houyingchao Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-06-30 06:59:14 +00:00 · 2021-06-30 06:59:14 +00:00 · d407c789f6
commit d407c789f6
parent f082f72abd 3ec4a35371
3 changed files with 63 additions and 1 deletions
--- a/CVE-2021-32493.patch
+++ b/CVE-2021-32493.patch
@ -0,0 +1,21 @@
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..e271a1d 100644
+--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <climits>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
+  if (ncolumns > USHRT_MAX - border)
+    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );
--- a/CVE-2021-3500.patch
+++ b/CVE-2021-3500.patch
@ -0,0 +1,36 @@
+diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp
+index 2b3e0d2..ede7f6b 100644
+--- a/libdjvu/DjVuPort.cpp
+++ b/libdjvu/DjVuPort.cpp
+@@ -507,10 +507,19 @@ GP<DjVuFile>
+ DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
+ {
+    GPList<DjVuPort> list;
+
+   if (!!opening_id && opening_id == id)
+      G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") );
+   else
+      opening_id = id;
+
+    compute_closure(source, list, true);
+    GP<DjVuFile> file;
+    for(GPosition pos=list;pos;++pos)
+       if ((file=list[pos]->id_to_file(source, id))) break;
+
+   opening_id = GUTF8String();
+
+    return file;
+ }
+ 
+diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h
+index e2b3125..313dc2b 100644
+--- a/libdjvu/DjVuPort.h
+++ b/libdjvu/DjVuPort.h
+@@ -484,6 +484,7 @@ private:
+                        const DjVuPort *dst, int distance);
+    void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
+                         bool sorted=false);
+   GUTF8String opening_id;
+ };
+ 
+ 
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -1,7 +1,7 @@
 Name:             djvulibre
 Summary:          An open source (GPL'ed) implementation of DjVu
 Version:          3.5.27
-Release:          15
+Release:          16
 License:          GPLv2+
 URL:              http://djvu.sourceforge.net/
 Source0:          http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz
@ -12,6 +12,8 @@ Patch3:           CVE-2019-15144.patch
 Patch4:           CVE-2019-15145.patch
 Patch5:           CVE-2019-18804.patch
 Patch6:           update-any2djvu-server-hostname.patch
+Patch7:           CVE-2021-32493.patch
+Patch8:           CVE-2021-3500.patch
 Requires(post):   xdg-utils
 Requires(preun):  xdg-utils
 BuildRequires:    libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++
@ -94,6 +96,9 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || :
 %{_mandir}/man1/*

 %changelog
+* Wen Jun 30 2021 houyingchao <houyingchao@huawei.com> - 3.5.27-16
+- Fix CVE-2021-32493 CVE-2021-3500
+
 * Thu Jan 28 2021 lingsheng <lingsheng@huawei.com> - 3.5.27-15
 - update any2djvu server hostname