Check for zero-size image when allocating GBuffer

Resolves: #2234737
Improve image size fix
4 changed files with 55 additions and 34 deletions
--- a/0001-Check-for-zero-width-and-height.patch
+++ b/0001-Check-for-zero-width-and-height.patch
@ -0,0 +1,35 @@
 From 3e7facdbcdab27143327b216cddb42a6dd1a50a7 Mon Sep 17 00:00:00 2001
 From: Petr Gajdos <pgajdos@suse.cz>
 Date: Mon, 6 May 2024 11:26:12 +0200
 Subject: [PATCH] Check for zero width and height
 Also check for positive number of gray levels.
 The patch was created by Petr Gajdos for
 https://sourceforge.net/p/djvu/bugs/345/ and pushed
 by Marek Kasik to Fedora/EPEL repositories.
 ---
 libdjvu/IW44EncodeCodec.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp
 index f81eaeb..7a402f7 100644
 --- a/libdjvu/IW44EncodeCodec.cpp
 +++ b/libdjvu/IW44EncodeCodec.cpp
@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm, const GP<GBitmap> gmask)
   int h = bm.rows();
   int g = bm.get_grays()-1;
   signed char *buffer;
 -  GPBuffer<signed char> gbuffer(buffer,w*h);
 +  size_t sz = w * h;
 +  if (sz == 0 || g <= 0) // w or h is zero or g is not positive
 +    G_THROW("IWBitmap: zero size image (corrupted file?)");
 +  if (sz / (size_t)w != (size_t)h) // multiplication overflow
 +    G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)");
 +  GPBuffer<signed char> gbuffer(buffer,sz);
   // Prepare gray level conversion table
   signed char  bconv[256];
   for (i=0; i<256; i++)
 -- 
 2.44.0
--- a/djvulibre-3.5.27-check-image-size.patch
+++ b/djvulibre-3.5.27-check-image-size.patch
@ -2,12 +2,14 @@ diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
 index e8d4b44..aa3d554 100644
 --- a/libdjvu/IW44Image.cpp
 +++ b/libdjvu/IW44Image.cpp
-@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
+@@ -678,9 +678,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
   // Allocate reconstruction buffer
   short *data16;
   size_t sz = bw * bh;
   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
 +  if (sz == 0)
 +    G_THROW("IW44Image: zero size image (corrupted file?)");
   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
   GPBuffer<short> gdata16(data16,sz);
 +  if (data16 == NULL)
 +    G_THROW("IW44Image: unable to allocate image data");
--- a/djvulibre-3.5.27-export-file.patch
+++ b/djvulibre-3.5.27-export-file.patch
@ -1,28 +0,0 @@
 --- djvulibre-3.5.27/desktopfiles/Makefile.am
 +++ djvulibre-3.5.27/desktopfiles/Makefile.am
@@ -32,10 +32,9 @@ if HAVE_CONVERSION_INKSCAPE
 convert_icons_process = \
 s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
 ${INKSCAPE} \
 ---without-gui \
 --export-width=$${s} \
 --export-height=$${s} \
 ---export-png=$@ $<
 +--export-filename=$@ $<
 endif
 if HAVE_CONVERSION_CONVERT
 --- djvulibre-3.5.27/desktopfiles/Makefile.in
 +++ djvulibre-3.5.27/desktopfiles/Makefile.in
@@ -306,10 +306,9 @@ PNGICONS = \
 @HAVE_CONVERSION_INKSCAPE_TRUE@convert_icons_process = \
 @HAVE_CONVERSION_INKSCAPE_TRUE@s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
 @HAVE_CONVERSION_INKSCAPE_TRUE@${INKSCAPE} \
 -@HAVE_CONVERSION_INKSCAPE_TRUE@--without-gui \
 @HAVE_CONVERSION_INKSCAPE_TRUE@--export-width=$${s} \
 @HAVE_CONVERSION_INKSCAPE_TRUE@--export-height=$${s} \
 -@HAVE_CONVERSION_INKSCAPE_TRUE@--export-png=$@ $<
 +@HAVE_CONVERSION_INKSCAPE_TRUE@--export-filename=$@ $<
 @HAVE_CONVERSION_RSVG_TRUE@convert_icons_process = \
 @HAVE_CONVERSION_RSVG_TRUE@s=`echo $@ | sed -e 's/[a-z]*\([0-9]*\).*/\1/'`; \
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -3,19 +3,19 @@
 Summary: DjVu viewers, encoders, and utilities
 Name: djvulibre
 Version: 3.5.28
-Release: 2%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL: http://djvu.sourceforge.net/
 Source0: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
 Patch0: djvulibre-3.5.22-cdefs.patch
 #Patch1: djvulibre-3.5.25.3-cflags.patch
 Patch6: djvulibre-3.5.27-export-file.patch
 Patch8: djvulibre-3.5.27-check-image-size.patch
 Patch9: djvulibre-3.5.27-integer-overflow.patch
 Patch10: djvulibre-3.5.27-check-input-pool.patch
 Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch
 Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch
 Patch14: djvulibre-3.5.27-out-of-bound-write-2.patch
 Patch15: 0001-Check-for-zero-width-and-height.patch
 Requires(post): xdg-utils
 Requires(preun): xdg-utils
@ -69,13 +69,13 @@ Development files for DjVuLibre.
 %setup -q 
 %patch0 -p1 -b .cdefs
 #%patch1 -p1 -b .cflags
 %patch6 -p1 -b .export-file
 %patch8 -p1 -b .check-image-size
 %patch9 -p1 -b .integer-overflow
 %patch10 -p1 -b .check-input-pool
 %patch11 -p1 -b .djvuport-stack-overflow
 %patch12 -p1 -b .unsigned-short-overflow
 %patch14 -p1 -b .out-of-bound-write-2
 %patch15 -p1 -b .zero-size-image
 %build 
@ -183,6 +183,18 @@ fi
 %changelog
 * Tue May 07 2024 Marek Kasik <mkasik@redhat.com> - 3.5.28-5
 - Check for zero-size image when allocating GBuffer
 - Resolves: #2234737
 * Tue May 07 2024 Marek Kasik <mkasik@redhat.com> - 3.5.28-4
 - Improve image size fix
 - Resolves: #2234740
 * Fri Mar 18 2022 Marek Kasik <mkasik@redhat.com> - 3.5.28-3
 - Initial EPEL 8 release
 - Resolves: #1739168
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.28-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Author	SHA1	Message	Date
Marek Kasik	cb768d5f4d	Check for zero-size image when allocating GBuffer Resolves: #2234737	9 months ago
Marek Kasik	106cdc1cc6	Improve image size fix Resolves: #2234740	9 months ago
Marek Kasik	0c2ea7ad81	Initial EPEL 8 release Resolves: #1739168	3 years ago