From 74ff8543171213c5469483a2a540784156c676bb Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Thu, 7 Nov 2019 15:49:09 +0100 Subject: [PATCH] Fix a stack overflow Resolves: #1767868 --- djvulibre-3.5.27-stack-overflow.patch | 111 ++++++++++++++++++++++++++ djvulibre.spec | 8 +- 2 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 djvulibre-3.5.27-stack-overflow.patch diff --git a/djvulibre-3.5.27-stack-overflow.patch b/djvulibre-3.5.27-stack-overflow.patch new file mode 100644 index 0000000..6798076 --- /dev/null +++ b/djvulibre-3.5.27-stack-overflow.patch @@ -0,0 +1,111 @@ +From e15d51510048927f172f1bf1f27ede65907d940d Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Mon, 8 Apr 2019 22:25:55 -0400 +Subject: bug 299 fixed + + +diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h +index 96b067c..0140211 100644 +--- a/libdjvu/GContainer.h ++++ b/libdjvu/GContainer.h +@@ -550,52 +550,61 @@ public: + template void + GArrayTemplate::sort(int lo, int hi) + { +- if (hi <= lo) +- return; +- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) +- data[j+1] = data[j]; +- data[j+1] = tmp; ++ for (int i=lo+1; i<=hi; i++) ++ { ++ int j = i; ++ TYPE tmp = data[i]; ++ while ((--j>=lo) && !(data[j]<=tmp)) ++ data[j+1] = data[j]; ++ data[j+1] = tmp; ++ } ++ return; + } +- return; +- } +- // -- determine suitable quick-sort pivot +- TYPE tmp = data[lo]; +- TYPE pivot = data[(lo+hi)/2]; +- if (pivot <= tmp) +- { tmp = pivot; pivot=data[lo]; } +- if (data[hi] <= tmp) +- { pivot = tmp; } +- else if (data[hi] <= pivot) +- { pivot = data[hi]; } +- // -- partition set +- int h = hi; +- int l = lo; +- while (l < h) +- { +- while (! (pivot <= data[l])) l++; +- while (! (data[h] <= pivot)) h--; +- if (l < h) ++ // -- determine median-of-three pivot ++ TYPE tmp = data[lo]; ++ TYPE pivot = data[(lo+hi)/2]; ++ if (pivot <= tmp) ++ { tmp = pivot; pivot=data[lo]; } ++ if (data[hi] <= tmp) ++ { pivot = tmp; } ++ else if (data[hi] <= pivot) ++ { pivot = data[hi]; } ++ // -- partition set ++ int h = hi; ++ int l = lo; ++ while (l < h) + { +- tmp = data[l]; +- data[l] = data[h]; +- data[h] = tmp; +- l = l+1; +- h = h-1; ++ while (! (pivot <= data[l])) l++; ++ while (! (data[h] <= pivot)) h--; ++ if (l < h) ++ { ++ tmp = data[l]; ++ data[l] = data[h]; ++ data[h] = tmp; ++ l = l+1; ++ h = h-1; ++ } ++ } ++ // -- recurse, small partition first ++ // tail-recursion elimination ++ if (h - lo <= hi - l) { ++ sort(lo,h); ++ lo = l; // sort(l,hi) ++ } else { ++ sort(l,hi); ++ hi = h; // sort(lo,h) + } + } +- // -- recursively restart +- sort(lo, h); +- sort(l, hi); + } + + template inline TYPE& diff --git a/djvulibre.spec b/djvulibre.spec index 7ebcc42..e131c85 100644 --- a/djvulibre.spec +++ b/djvulibre.spec @@ -3,7 +3,7 @@ Summary: DjVu viewers, encoders, and utilities Name: djvulibre Version: 3.5.27 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2+ URL: http://djvu.sourceforge.net/ Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz @@ -11,6 +11,7 @@ Patch0: djvulibre-3.5.22-cdefs.patch #Patch1: djvulibre-3.5.25.3-cflags.patch Patch2: djvulibre-3.5.27-buffer-overflow.patch Patch3: djvulibre-3.5.27-infinite-loop.patch +Patch4: djvulibre-3.5.27-stack-overflow.patch Requires(post): xdg-utils Requires(preun): xdg-utils @@ -65,6 +66,7 @@ Development files for DjVuLibre. #%patch1 -p1 -b .cflags %patch2 -p1 -b .buffer-overflow %patch3 -p1 -b .infinite-loop +%patch4 -p1 -b .stack-overflow %build @@ -172,6 +174,10 @@ fi %changelog +* Thu Nov 7 2019 Marek Kasik - 3.5.27-15 +- Fix a stack overflow +- Resolves: #1767868 + * Wed Nov 6 2019 Marek Kasik - 3.5.27-14 - Break an infinite loop - Resolves: #1767857