From ea98c462ec0140f80bdc2832ac3378daeb1d9891 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Fri, 2 Jul 2021 16:43:17 +0200
Subject: [PATCH] Fix out-of-bounds write in djvutext Resolves: #1977428

---
 djvulibre-3.5.27-out-of-bound-write-2.patch | 14 ++++++++++
 djvulibre-3.5.27-out-of-bound-write.patch   | 31 +++++++++++++++++++++
 djvulibre.spec                              | 10 ++++++-
 3 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 djvulibre-3.5.27-out-of-bound-write-2.patch
 create mode 100644 djvulibre-3.5.27-out-of-bound-write.patch

diff --git a/djvulibre-3.5.27-out-of-bound-write-2.patch b/djvulibre-3.5.27-out-of-bound-write-2.patch
new file mode 100644
index 0000000..d7db88d
--- /dev/null
+++ b/djvulibre-3.5.27-out-of-bound-write-2.patch
@@ -0,0 +1,14 @@
+diff --git a/libdjvu/DjVuText.cpp b/libdjvu/DjVuText.cpp
+index 60a4f39..b11df7b 100644
+--- a/libdjvu/DjVuText.cpp
++++ b/libdjvu/DjVuText.cpp
+@@ -345,7 +345,8 @@ DjVuTXT::decode(const GP<ByteStream> &gbs)
+   int textsize = bs.read24();
+   char *buffer = textUTF8.getbuf(textsize);
+   int readsize = bs.read(buffer,textsize);
+-  buffer[readsize] = 0;
++  if (readsize > 0)
++    buffer[readsize] = 0;
+   if (readsize < textsize)
+     G_THROW( ERR_MSG("DjVuText.corrupt_chunk") );
+   // Try reading zones
diff --git a/djvulibre-3.5.27-out-of-bound-write.patch b/djvulibre-3.5.27-out-of-bound-write.patch
new file mode 100644
index 0000000..59071f0
--- /dev/null
+++ b/djvulibre-3.5.27-out-of-bound-write.patch
@@ -0,0 +1,31 @@
+From 7b0ef20690e08f1fe124aebbf42f6310e2f40f81 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Thu, 27 Jun 2019 18:38:03 -0400
+Subject: [PATCH] Lizards!
+
+---
+ libdjvu/GString.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libdjvu/GString.cpp b/libdjvu/GString.cpp
+index bf98bfe..b17ed2a 100644
+--- a/libdjvu/GString.cpp
++++ b/libdjvu/GString.cpp
+@@ -1216,11 +1216,11 @@ GP<GStringRep>
+ GStringRep::getbuf(int n) const
+ {
+   GP<GStringRep> retval;
+-  if(n< 0)
++  if(n < 0)
+     n=strlen(data);
+-  if(n>0)
++  if(n >= 0)
+   {
+-    retval=blank(n);
++    retval=blank((n>0) ? n : 1);
+     char *ndata=retval->data;
+     strncpy(ndata,data,n);
+     ndata[n]=0;
+-- 
+2.31.1
+
diff --git a/djvulibre.spec b/djvulibre.spec
index 579a230..a28a79c 100644
--- a/djvulibre.spec
+++ b/djvulibre.spec
@@ -3,7 +3,7 @@
 Summary: DjVu viewers, encoders, and utilities
 Name: djvulibre
 Version: 3.5.27
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 URL: http://djvu.sourceforge.net/
 Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
@@ -20,6 +20,8 @@ Patch9: djvulibre-3.5.27-integer-overflow.patch
 Patch10: djvulibre-3.5.27-check-input-pool.patch
 Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch
 Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch
+Patch13: djvulibre-3.5.27-out-of-bound-write.patch
+Patch14: djvulibre-3.5.27-out-of-bound-write-2.patch
 
 Requires(post): xdg-utils
 Requires(preun): xdg-utils
@@ -84,6 +86,8 @@ Development files for DjVuLibre.
 %patch10 -p1 -b .check-input-pool
 %patch11 -p1 -b .djvuport-stack-overflow
 %patch12 -p1 -b .unsigned-short-overflow
+%patch13 -p1 -b .out-of-bound-write
+%patch14 -p1 -b .out-of-bound-write-2
 
 
 %build 
@@ -191,6 +195,10 @@ fi
 
 
 %changelog
+* Fri Jul 02 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-29
+- Fix out-of-bounds write in djvutext
+- Resolves: #1977428
+
 * Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-28
 - Avoid unsigned short overflow in GBitmap when allocating row buffer
 - Resolves: #1943424