!47 [sync] PR-41: Fix CVE-2021-46310,CVE-2021-46312

From: @openeuler-sync-bot Reviewed-by: @wang--ge Signed-off-by: @wang--ge
Fix CVE-2021-46310,CVE-2021-46312
2023-09-13 10:19:14 +00:00 · 2023-09-13 16:04:39 +08:00 · 2021-07-07 06:14:42 +00:00 · 2021-07-07 11:53:33 +08:00 · 2021-07-01 03:19:07 +00:00 · 2021-07-01 10:03:22 +08:00
9 changed files with 200 additions and 1 deletions
--- a/CVE-2021-32490.patch
+++ b/CVE-2021-32490.patch
@ -0,0 +1,16 @@
+diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
+index e8d4b44..aa3d554 100644
+--- a/libdjvu/IW44Image.cpp
+++ b/libdjvu/IW44Image.cpp
+@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
+   size_t sz = bw * bh;
+   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+  if (sz == 0)
+    G_THROW("IW44Image: zero size image (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
+  if (data16 == NULL)
+    G_THROW("IW44Image: unable to allocate image data");
+   // Copy coefficients
+   int i;
+   short *p = data16;
--- a/CVE-2021-32491.patch
+++ b/CVE-2021-32491.patch
@ -0,0 +1,23 @@
+diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
+index 7109952..b41f7d2 100644
+--- a/tools/ddjvu.cpp
+++ b/tools/ddjvu.cpp
+@@ -70,6 +70,7 @@
+ #include <locale.h>
+ #include <fcntl.h>
+ #include <errno.h>
+#include <cstdint>
+ 
+ #ifdef UNIX
+ # include <sys/time.h>
+@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
+     rowsize = rrect.w;
+   else
+     rowsize = rrect.w * 3; 
+-  if (! (image = (char*)malloc(rowsize * rrect.h)))
+  if ((size_t) rowsize > SIZE_MAX / rrect.h)
+    die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
+  if (! (image = (char*)malloc((size_t) rowsize * rrect.h)))
+     die(i18n("Cannot allocate image buffer for page %d"), pageno);
+ 
+   /* Render */
--- a/CVE-2021-32492.patch
+++ b/CVE-2021-32492.patch
@ -0,0 +1,13 @@
+diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
+index 5fcbedf..4c2eaf0 100644
+--- a/libdjvu/DataPool.cpp
+++ b/libdjvu/DataPool.cpp
+@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
+   DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
+   DEBUG_MAKE_INDENT(3);
+ 
+  if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
+
+   DataPool *xpool=new DataPool();
+   GP<DataPool> retval=xpool;
+   xpool->init();
--- a/CVE-2021-32493.patch
+++ b/CVE-2021-32493.patch
@ -0,0 +1,21 @@
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..e271a1d 100644
+--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <climits>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
+  if (ncolumns > USHRT_MAX - border)
+    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );
--- a/CVE-2021-3500.patch
+++ b/CVE-2021-3500.patch
@ -0,0 +1,36 @@
+diff --git a/libdjvu/DjVuPort.cpp b/libdjvu/DjVuPort.cpp
+index 2b3e0d2..ede7f6b 100644
+--- a/libdjvu/DjVuPort.cpp
+++ b/libdjvu/DjVuPort.cpp
+@@ -507,10 +507,19 @@ GP<DjVuFile>
+ DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
+ {
+    GPList<DjVuPort> list;
+
+   if (!!opening_id && opening_id == id)
+      G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") );
+   else
+      opening_id = id;
+
+    compute_closure(source, list, true);
+    GP<DjVuFile> file;
+    for(GPosition pos=list;pos;++pos)
+       if ((file=list[pos]->id_to_file(source, id))) break;
+
+   opening_id = GUTF8String();
+
+    return file;
+ }
+ 
+diff --git a/libdjvu/DjVuPort.h b/libdjvu/DjVuPort.h
+index e2b3125..313dc2b 100644
+--- a/libdjvu/DjVuPort.h
+++ b/libdjvu/DjVuPort.h
+@@ -484,6 +484,7 @@ private:
+                        const DjVuPort *dst, int distance);
+    void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
+                         bool sorted=false);
+   GUTF8String opening_id;
+ };
+ 
+ 
--- a/CVE-2021-3630.patch
+++ b/CVE-2021-3630.patch
@ -0,0 +1,30 @@
+From a613ff8a73585b55359e9b7128b4a30665b1f191 Mon Sep 17 00:00:00 2001
+Author: Leon Bottou <leon@bottou.org> 
+Date:   Thu Jun 27 18:38:03 2019 -0400
+
+---
+ libdjvu/GString.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libdjvu/GString.cpp b/libdjvu/GString.cpp
+index 181c0b2..f71e6b3 100644
+--- a/libdjvu/GString.cpp
+++ b/libdjvu/GString.cpp
+@@ -1212,11 +1212,11 @@ GP<GStringRep>
+ GStringRep::getbuf(int n) const
+ {
+   GP<GStringRep> retval;
+-  if(n< 0)
+  if(n < 0)
+     n=strlen(data);
+-  if(n>0)
+  if(n >= 0)
+   {
+-    retval=blank(n);
+    retval=blank((n>0) ? n : 1);
+     char *ndata=retval->data;
+     strncpy(ndata,data,n);
+     ndata[n]=0;
+-- 
+2.23.0
+
--- a/CVE-2021-46310.patch
+++ b/CVE-2021-46310.patch
@ -0,0 +1,19 @@
+Origin: https://sourceforge.net/p/djvu/bugs/345/
+
+Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp
+===================================================================
+--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp
+++ djvulibre-3.5.28/libdjvu/IW44Image.cpp
+@@ -676,10 +676,10 @@ IW44Image::Map::image(signed char *img8,
+   // Allocate reconstruction buffer
+   short *data16;
+   size_t sz = bw * bh;
+  if (sz == 0) // bw or bh is zero
+    G_THROW("IW44Image: zero size image (corrupted file?)");
+   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+-  if (sz == 0)
+-    G_THROW("IW44Image: zero size image (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
+   if (data16 == NULL)
+     G_THROW("IW44Image: unable to allocate image data");
--- a/CVE-2021-46312.patch
+++ b/CVE-2021-46312.patch
@ -0,0 +1,20 @@
+Origin: https://sourceforge.net/p/djvu/bugs/344/
+
+Index: djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp
+===================================================================
+--- djvulibre-3.5.28.orig/libdjvu/IW44EncodeCodec.cpp
+++ djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp
+@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm
+   int h = bm.rows();
+   int g = bm.get_grays()-1;
+   signed char *buffer;
+-  GPBuffer<signed char> gbuffer(buffer,w*h);
+  size_t sz = w * h;
+  if (sz == 0 || g <= 0) // w or h is zero or g is not positive
+    G_THROW("IWBitmap: zero size image (corrupted file?)");
+  if (sz / (size_t)w != (size_t)h) // multiplication overflow
+    G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)");
+  GPBuffer<signed char> gbuffer(buffer,sz);
+   // Prepare gray level conversion table
+   signed char  bconv[256];
+   for (i=0; i<256; i++)
--- a/djvulibre.spec
+++ b/djvulibre.spec
@ -1,7 +1,7 @@
 Name:             djvulibre
 Summary:          An open source (GPL'ed) implementation of DjVu
 Version:          3.5.27
-Release:          15
+Release:          19
 License:          GPLv2+
 URL:              http://djvu.sourceforge.net/
 Source0:          http://downloads.sourceforge.net/djvu/djvulibre-%{version}.tar.gz
@ -12,6 +12,15 @@ Patch3:           CVE-2019-15144.patch
 Patch4:           CVE-2019-15145.patch
 Patch5:           CVE-2019-18804.patch
 Patch6:           update-any2djvu-server-hostname.patch
+Patch7:           CVE-2021-32490.patch
+Patch8:           CVE-2021-32491.patch
+Patch9:           CVE-2021-32492.patch
+Patch10:          CVE-2021-32493.patch
+Patch11:          CVE-2021-3500.patch
+Patch12:          CVE-2021-3630.patch
+Patch13:          CVE-2021-46310.patch
+Patch14:          CVE-2021-46312.patch
+
 Requires(post):   xdg-utils
 Requires(preun):  xdg-utils
 BuildRequires:    libjpeg-turbo-devel libtiff-devel xdg-utils chrpath hicolor-icon-theme gcc-c++
@ -94,6 +103,18 @@ rm -f %{_datadir}/icons/hicolor/32x32/apps/djvulibre-djview3.png || :
 %{_mandir}/man1/*

 %changelog
+* Wed Sep 13 2023 wangkai <13474090681@163.com> - 3.5.27-19
+- Fix CVE-2021-46310,CVE-2021-46312
+
+* Wed Jul 07 2021 wangyue<wangyue92@huawei.com> - 3.5.27-18
+- Fix CVE-2021-3630
+
+* Wed Jun 30 2021 liwu<liwu13@huawei.com> - 3.5.27-17
+* Fix CVE-2021-32493 CVE-2021-3500
+
+* Wed Jun 30 2021 liwu<liwu13@huawei.com> - 3.5.27-16
+* Fix CVE-2021-32490, CVE-2021-32491, CVE-2021-32492
+
 * Thu Jan 28 2021 lingsheng <lingsheng@huawei.com> - 3.5.27-15
 - update any2djvu server hostname
Author	SHA1	Message	Date
openeuler-ci-bot	05a15a2fee	!47 [sync] PR-41: Fix CVE-2021-46310,CVE-2021-46312 From: @openeuler-sync-bot Reviewed-by: @wang--ge Signed-off-by: @wang--ge	2023-09-13 10:19:14 +00:00
wk333	b35e428eec	Fix CVE-2021-46310,CVE-2021-46312 (cherry picked from commit a782ccd218e9e4bc79b7bb181c9728b19ed4b1f9)	2023-09-13 16:04:39 +08:00
openeuler-ci-bot	fa5807badb	!31 Fix CVE-2021-3630 From: @wang_yue111 Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-07-07 06:14:42 +00:00
wang_yue111	6be891ae9b	Fix CVE-2021-3630	2021-07-07 11:53:33 +08:00
openeuler-ci-bot	f199e28412	!24 fix CVE-2021-32493 CVE-2021-3500 From: @programmer12 Reviewed-by: @jackie_wu123,@small_leek Signed-off-by: @small_leek	2021-07-01 03:19:07 +00:00
programmer12	a52e8e3eff	fix CVE-2021-32493 CVE-2021-3500	2021-07-01 10:03:22 +08:00
openeuler-ci-bot	5bd240bff5	!23 CVE-2021-32490 CVE-2021-32491 CVE-2021-32492 From: @programmer12 Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-06-30 09:28:05 +00:00
programmer12	424b0606dd	fix CVE-2021-32490 CVE-2021-32491 CVE-2021-32492	2021-06-30 16:04:56 +08:00
openeuler-ci-bot	d407c789f6	!19 fix CVE-2021-32493 CVE-2021-3500 From: @houyingchao Reviewed-by: @small_leek Signed-off-by: @small_leek	2021-06-30 06:59:14 +00:00
houyingchao	3ec4a35371	fix CVE-2021-32493 CVE-2021-3500	2021-06-30 14:35:45 +08:00