Avoid unsigned short overflow

in GBitmap when allocating row buffer

Resolves: #1943424

djvulibre-3.5.27-unsigned-short-overflow.patch

@@ -0,0 +1,21 @@
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..e271a1d 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
++  if (ncolumns > USHRT_MAX - border)
++    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );

djvulibre.spec

@@ -3,7 +3,7 @@
 Summary: DjVu viewers, encoders, and utilities
 Name: djvulibre
 Version: 3.5.27
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2+
 URL: http://djvu.sourceforge.net/
 Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
@@ -19,6 +19,7 @@ Patch8: djvulibre-3.5.27-check-image-size.patch
 Patch9: djvulibre-3.5.27-integer-overflow.patch
 Patch10: djvulibre-3.5.27-check-input-pool.patch
 Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch
+Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch
 
 Requires(post): xdg-utils
 Requires(preun): xdg-utils
@@ -82,6 +83,7 @@ Development files for DjVuLibre.
 %patch9 -p1 -b .integer-overflow
 %patch10 -p1 -b .check-input-pool
 %patch11 -p1 -b .djvuport-stack-overflow
+%patch12 -p1 -b .unsigned-short-overflow
 
 
 %build 
@@ -189,6 +191,10 @@ fi
 
 
 %changelog
+* Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-28
+- Avoid unsigned short overflow in GBitmap when allocating row buffer
+- Resolves: #1943424
+
 * Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-27
 - Avoid stack overflow in DjVuPort by remembering which file we are opening
 - Resolves: #1943411, #1943685