From 4b8d9b4bcb10c24739ca2dcd68a7fba4abe90860 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Tue, 4 May 2021 16:33:42 +0200
Subject: [PATCH] Avoid integer overflow when allocating bitmap

Resolves: #1943409
---
 djvulibre-3.5.27-integer-overflow.patch | 23 +++++++++++++++++++++++
 djvulibre.spec                          |  8 +++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 djvulibre-3.5.27-integer-overflow.patch

diff --git a/djvulibre-3.5.27-integer-overflow.patch b/djvulibre-3.5.27-integer-overflow.patch
new file mode 100644
index 0000000..279a038
--- /dev/null
+++ b/djvulibre-3.5.27-integer-overflow.patch
@@ -0,0 +1,23 @@
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 7109952..b41f7d2 100644
+--- a/tools/ddjvu.cpp
++++ b/tools/ddjvu.cpp
+@@ -70,6 +70,7 @@
+ #include <locale.h>
+ #include <fcntl.h>
+ #include <errno.h>
++#include <stdint.h>
+ 
+ #ifdef UNIX
+ # include <sys/time.h>
+@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
+     rowsize = rrect.w;
+   else
+     rowsize = rrect.w * 3; 
+-  if (! (image = (char*)malloc(rowsize * rrect.h)))
++  if ((size_t)rowsize > SIZE_MAX / rrect.h)
++    die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
++  if (! (image = (char*)malloc((size_t)rowsize * rrect.h)))
+     die(i18n("Cannot allocate image buffer for page %d"), pageno);
+ 
+   /* Render */
diff --git a/djvulibre.spec b/djvulibre.spec
index 060d75d..b2049a9 100644
--- a/djvulibre.spec
+++ b/djvulibre.spec
@@ -3,7 +3,7 @@
 Summary: DjVu viewers, encoders, and utilities
 Name: djvulibre
 Version: 3.5.27
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 URL: http://djvu.sourceforge.net/
 Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
@@ -16,6 +16,7 @@ Patch5: djvulibre-3.5.27-zero-bytes-check.patch
 Patch6: djvulibre-3.5.27-export-file.patch
 Patch7: djvulibre-3.5.27-null-dereference.patch
 Patch8: djvulibre-3.5.27-check-image-size.patch
+Patch9: djvulibre-3.5.27-integer-overflow.patch
 
 Requires(post): xdg-utils
 Requires(preun): xdg-utils
@@ -76,6 +77,7 @@ Development files for DjVuLibre.
 %patch6 -p1 -b .export-file
 %patch7 -p1 -b .null-dereference
 %patch8 -p1 -b .check-image-size
+%patch9 -p1 -b .integer-overflow
 
 
 %build 
@@ -183,6 +185,10 @@ fi
 
 
 %changelog
+* Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-25
+- Avoid integer overflow when allocating bitmap
+- Resolves: #1943409
+
 * Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-24
 - Check image size for 0
 - Resolves: #1943408