Fix out-of-bounds write in djvutext

Resolves: #1977428
4 years ago · ea98c462ec
parent d3ab5800cb
commit ea98c462ec
3 changed files with 54 additions and 1 deletions
--- a/djvulibre-3.5.27-out-of-bound-write-2.patch
+++ b/djvulibre-3.5.27-out-of-bound-write-2.patch
@ -0,0 +1,14 @@
+diff --git a/libdjvu/DjVuText.cpp b/libdjvu/DjVuText.cpp
+index 60a4f39..b11df7b 100644
+--- a/libdjvu/DjVuText.cpp
+++ b/libdjvu/DjVuText.cpp
+@@ -345,7 +345,8 @@ DjVuTXT::decode(const GP<ByteStream> &gbs)
+   int textsize = bs.read24();
+   char *buffer = textUTF8.getbuf(textsize);
+   int readsize = bs.read(buffer,textsize);
+-  buffer[readsize] = 0;
+  if (readsize > 0)
+    buffer[readsize] = 0;
+   if (readsize < textsize)
+     G_THROW( ERR_MSG("DjVuText.corrupt_chunk") );
+   // Try reading zones
--- a/djvulibre-3.5.27-out-of-bound-write.patch
+++ b/djvulibre-3.5.27-out-of-bound-write.patch
@ -0,0 +1,31 @@
+From 7b0ef20690e08f1fe124aebbf42f6310e2f40f81 Mon Sep 17 00:00:00 2001
+From: Leon Bottou <leon@bottou.org>
+Date: Thu, 27 Jun 2019 18:38:03 -0400
+Subject: [PATCH] Lizards!
+
+---
+ libdjvu/GString.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libdjvu/GString.cpp b/libdjvu/GString.cpp
+index bf98bfe..b17ed2a 100644
+--- a/libdjvu/GString.cpp
+++ b/libdjvu/GString.cpp
+@@ -1216,11 +1216,11 @@ GP<GStringRep>
+ GStringRep::getbuf(int n) const
+ {
+   GP<GStringRep> retval;
+-  if(n< 0)
+  if(n < 0)
+     n=strlen(data);
+-  if(n>0)
+  if(n >= 0)
+   {
+-    retval=blank(n);
+    retval=blank((n>0) ? n : 1);
+     char *ndata=retval->data;
+     strncpy(ndata,data,n);
+     ndata[n]=0;
+-- 
+2.31.1
+
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -3,7 +3,7 @@
 Summary: DjVu viewers, encoders, and utilities
 Name: djvulibre
 Version: 3.5.27
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+
 URL: http://djvu.sourceforge.net/
 Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
@ -20,6 +20,8 @@ Patch9: djvulibre-3.5.27-integer-overflow.patch
 Patch10: djvulibre-3.5.27-check-input-pool.patch
 Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch
 Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch
+Patch13: djvulibre-3.5.27-out-of-bound-write.patch
+Patch14: djvulibre-3.5.27-out-of-bound-write-2.patch

 Requires(post): xdg-utils
 Requires(preun): xdg-utils
@ -84,6 +86,8 @@ Development files for DjVuLibre.
 %patch10 -p1 -b .check-input-pool
 %patch11 -p1 -b .djvuport-stack-overflow
 %patch12 -p1 -b .unsigned-short-overflow
+%patch13 -p1 -b .out-of-bound-write
+%patch14 -p1 -b .out-of-bound-write-2


 %build 
@ -191,6 +195,10 @@ fi


 %changelog
+* Fri Jul 02 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-29
+- Fix out-of-bounds write in djvutext
+- Resolves: #1977428
+
 * Mon May 03 2021 Marek Kasik <mkasik@redhat.com> - 3.5.27-28
 - Avoid unsigned short overflow in GBitmap when allocating row buffer
 - Resolves: #1943424