From d3ab5800cbceebca93b4dedb6f001673d6a9c79d Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Tue, 4 May 2021 16:42:06 +0200
Subject: [PATCH] Avoid unsigned short overflow

in GBitmap when allocating row buffer

Resolves: #1943424
---
 ...libre-3.5.27-unsigned-short-overflow.patch | 21 +++++++++++++++++++
 djvulibre.spec                                |  8 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 djvulibre-3.5.27-unsigned-short-overflow.patch

diff --git a/djvulibre-3.5.27-unsigned-short-overflow.patch b/djvulibre-3.5.27-unsigned-short-overflow.patch
new file mode 100644
index 0000000..c7a6f3a
--- /dev/null
+++ b/djvulibre-3.5.27-unsigned-short-overflow.patch
@@ -0,0 +1,21 @@
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..e271a1d 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
++  if (ncolumns > USHRT_MAX - border)
++    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );
diff --git a/djvulibre.spec b/djvulibre.spec
index 5bf9a6c..579a230 100644
--- a/djvulibre.spec
+++ b/djvulibre.spec
@@ -3,7 +3,7 @@
 Summary: DjVu viewers, encoders, and utilities
 Name: djvulibre
 Version: 3.5.27
-Release: 27%{?dist}
+Release: 28%{?dist}
 License: GPLv2+
 URL: http://djvu.sourceforge.net/
 Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
@@ -19,6 +19,7 @@ Patch8: djvulibre-3.5.27-check-image-size.patch
 Patch9: djvulibre-3.5.27-integer-overflow.patch
 Patch10: djvulibre-3.5.27-check-input-pool.patch
 Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch
+Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch
 
 Requires(post): xdg-utils
 Requires(preun): xdg-utils
@@ -82,6 +83,7 @@ Development files for DjVuLibre.
 %patch9 -p1 -b .integer-overflow
 %patch10 -p1 -b .check-input-pool
 %patch11 -p1 -b .djvuport-stack-overflow
+%patch12 -p1 -b .unsigned-short-overflow
 
 
 %build 
@@ -189,6 +191,10 @@ fi
 
 
 %changelog
+* Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-28
+- Avoid unsigned short overflow in GBitmap when allocating row buffer
+- Resolves: #1943424
+
 * Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-27
 - Avoid stack overflow in DjVuPort by remembering which file we are opening
 - Resolves: #1943411, #1943685