fix CVE-2020-36277 CVE-2020-36278 CVE-2020-36279 CVE-2020-36280 CVE-2020-36281

(cherry picked from commit fb42ea6477ed262dfee8c1ab123a2dfeb1c3e081)
2021-08-12 16:34:22 +08:00 · 2021-08-12 16:34:22 +08:00 · 3f71ac5650
commit 3f71ac5650
parent c1976d0215
6 changed files with 275 additions and 1 deletions
--- a/CVE-2020-36277.patch
+++ b/CVE-2020-36277.patch
@ -0,0 +1,56 @@
+From 3ddd9a35cebc28f2b1a5693c27dcfff58218674a Mon Sep 17 00:00:00 2001
+From: Stefan Weil <sw@weilnetz.de>
+Date: Sun, 3 May 2020 16:14:20 +0200
+Subject: [PATCH] Fix heap buffer overflow in selReadStream
+
+selio_reg triggers a heap buffer overflow when sscanf tries to write 201 bytes into a 24 byte string.
+It can be detected when the code is compiled with the address sanitizer:
+
+    ==19856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001288 at pc 0x00000044462b bp 0x7fffffffddf0 sp 0x7fffffffd5a0
+    WRITE of size 201 at 0x603000001288 thread T0
+    0x603000001288 is located 0 bytes to the right of 24-byte region [0x603000001270,0x603000001288)
+
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+---
+ src/sel1.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/sel1.c b/src/sel1.c
+index 9c6ccf1e..5f61570b 100644
+--- a/src/sel1.c
+++ b/src/sel1.c
+@@ -1418,7 +1418,7 @@ SEL   *sel;
+ SEL  *
+ selReadStream(FILE  *fp)
+ {
+-char    *selname;
+char     selname[256];
+ char     linebuf[256];
+ l_int32  sy, sx, cy, cx, i, j, version, ignore;
+ SEL     *sel;
+@@ -1435,17 +1435,14 @@ SEL     *sel;
+ 
+     if (fgets(linebuf, sizeof(linebuf), fp) == NULL)
+         return (SEL *)ERROR_PTR("error reading into linebuf", procName, NULL);
+-    selname = stringNew(linebuf);
+     sscanf(linebuf, "  ------  %200s  ------", selname);
+ 
+     if (fscanf(fp, "  sy = %d, sx = %d, cy = %d, cx = %d\n",
+             &sy, &sx, &cy, &cx) != 4) {
+-        LEPT_FREE(selname);
+         return (SEL *)ERROR_PTR("dimensions not read", procName, NULL);
+     }
+ 
+     if ((sel = selCreate(sy, sx, selname)) == NULL) {
+-        LEPT_FREE(selname);
+         return (SEL *)ERROR_PTR("sel not made", procName, NULL);
+     }
+     selSetOrigin(sel, cy, cx);
+@@ -1458,7 +1455,6 @@ SEL     *sel;
+     }
+     ignore = fscanf(fp, "\n");
+ 
+-    LEPT_FREE(selname);
+     return sel;
+ }
+ 
--- a/CVE-2020-36278.patch
+++ b/CVE-2020-36278.patch
@ -0,0 +1,23 @@
+From 8d6e1755518cfb98536d6c3daf0601f226d16842 Mon Sep 17 00:00:00 2001
+From: Dan Bloomberg <dan.bloomberg@gmail.com>
+Date: Sun, 14 Jun 2020 22:52:40 -0700
+Subject: [PATCH] Issue 23433 in oss-fuzz: Heap-buffer-overflow in
+ findNextBorderPixel() * Check pix boundary when looking for the next pixel.
+
+---
+ src/ccbord.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/ccbord.c b/src/ccbord.c
+index c6237025..4e6363e2 100644
+--- a/src/ccbord.c
+++ b/src/ccbord.c
+@@ -1090,6 +1090,8 @@ l_uint32  *line;
+         pos = (qpos + i) % 8;
+         npx = px + xpostab[pos];
+         npy = py + ypostab[pos];
+        if (npx < 0 || npx >= w || npy < 0 || npy >= h)
+            continue;
+         line = data + npy * wpl;
+         val = GET_DATA_BIT(line, npx);
+         if (val) {
--- a/CVE-2020-36279.patch
+++ b/CVE-2020-36279.patch
@ -0,0 +1,101 @@
+From 3c18c43b6a3f753f0dfff99610d46ad46b8bfac4 Mon Sep 17 00:00:00 2001
+From: Dan Bloomberg <dan.bloomberg@gmail.com>
+Date: Tue, 26 May 2020 22:24:40 -0700
+Subject: [PATCH] Fixing oss-fuzz issue 22512: Heap-buffer-overflow in
+ rasteropGeneralLow() * Simplified the hole-filling function `
+
+---
+ prog/adaptmap_reg.c | 25 +++++++++++++++++++++++--
+ src/adaptmap.c      | 12 +++---------
+ 2 files changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/prog/adaptmap_reg.c b/prog/adaptmap_reg.c
+index 65309770..ef8dbfd3 100644
+--- a/prog/adaptmap_reg.c
+++ b/prog/adaptmap_reg.c
+@@ -57,7 +57,7 @@ int main(int    argc,
+ l_int32       w, h;
+ PIX          *pixs, *pixg, *pixim, *pixgm, *pixmi, *pix1, *pix2;
+ PIX          *pixmr, *pixmg, *pixmb, *pixmri, *pixmgi, *pixmbi;
+-PIXA         *pixa;
+PIXA         *pixa, *pixa2;
+ L_REGPARAMS  *rp;
+ 
+     if (regTestSetup(argc, argv, &rp))
+@@ -159,10 +159,31 @@ L_REGPARAMS  *rp;
+     pixaAddPix(pixa, pix2, L_INSERT);
+     pixDestroy(&pixim);
+ 
+        /* Check pixFillMapHoles() */
+    pixa2 = pixaCreate(3);
+    pix1 = pixRead("weasel8.png");  /* use this as the map */
+    pixGammaTRC(pix1, pix1, 1.0, 0, 270);  /* darken white pixels */
+    pixaAddPix(pixa2, pix1, L_COPY);
+    pixGetDimensions(pix1, &w, &h, NULL);
+    pixRasterop(pix1, 0, 0, 5, h, PIX_SET, NULL, 0, 0);  /* add white holes */
+    pixRasterop(pix1, 20, 0, 2, h, PIX_SET, NULL, 0, 0);
+    pixRasterop(pix1, 40, 0, 3, h, PIX_SET, NULL, 0, 0);
+    pixRasterop(pix1, 0, 0, w, 3, PIX_SET, NULL, 0, 0);
+    pixRasterop(pix1, 0, 15, w, 3, PIX_SET, NULL, 0, 0);
+    pixRasterop(pix1, 0, 35, w, 2, PIX_SET, NULL, 0, 0);
+    pixaAddPix(pixa2, pix1, L_COPY);
+    pixFillMapHoles(pix1, w, h, L_FILL_WHITE);
+    pixaAddPix(pixa2, pix1, L_INSERT);
+    pix2 = pixaDisplayTiledInColumns(pixa2, 3, 1.0, 20, 1);
+    regTestWritePixAndCheck(rp, pix2, IFF_PNG);  /* 14 */
+    pixDisplayWithTitle(pix2, 50, 850, NULL, rp->display);
+    pixaDestroy(&pixa2);
+    pixDestroy(&pix2);
+    
+         /* Display results */
+     pix1 = pixaDisplayTiledAndScaled(pixa, 32, 400, 4, 0, 20, 2);
+     pixWrite("/tmp/lept/adapt/results.jpg", pix1, IFF_JFIF_JPEG);
+-    pixDisplayWithTitle(pix1, 100, 0, NULL, rp->display);
+    pixDisplayWithTitle(pix1, 50, 0, NULL, rp->display);
+     pixDestroy(&pix1);
+     pixaDestroy(&pixa);
+ 
+diff --git a/src/adaptmap.c b/src/adaptmap.c
+index 634be33b..4f5ec4b6 100644
+--- a/src/adaptmap.c
+++ b/src/adaptmap.c
+@@ -1470,7 +1470,6 @@ pixFillMapHoles(PIX     *pix,
+ l_int32   w, h, y, nmiss, goodcol, i, j, found, ival, valtest;
+ l_uint32  val, lastval;
+ NUMA     *na;  /* indicates if there is any data in the column */
+-PIX      *pixt;
+ 
+     PROCNAME("pixFillMapHoles");
+ 
+@@ -1522,7 +1521,6 @@ PIX      *pixt;
+ 
+     /* ---------- Fill in missing columns by replication ----------- */
+     if (nmiss > 0) {  /* replicate columns */
+-        pixt = pixCopy(NULL, pix);
+             /* Find the first good column */
+         goodcol = 0;
+         for (j = 0; j < w; j++) {
+@@ -1533,20 +1531,16 @@ PIX      *pixt;
+             }
+         }
+         if (goodcol > 0) {  /* copy cols backward */
+-            for (j = goodcol - 1; j >= 0; j--) {
+-                pixRasterop(pix, j, 0, 1, h, PIX_SRC, pixt, j + 1, 0);
+-                pixRasterop(pixt, j, 0, 1, h, PIX_SRC, pix, j, 0);
+-            }
+            for (j = goodcol - 1; j >= 0; j--)
+                pixRasterop(pix, j, 0, 1, h, PIX_SRC, pix, j + 1, 0);
+         }
+         for (j = goodcol + 1; j < w; j++) {   /* copy cols forward */
+             numaGetIValue(na, j, &ival);
+             if (ival == 0) {
+                     /* Copy the column to the left of j */
+-                pixRasterop(pix, j, 0, 1, h, PIX_SRC, pixt, j - 1, 0);
+-                pixRasterop(pixt, j, 0, 1, h, PIX_SRC, pix, j, 0);
+                pixRasterop(pix, j, 0, 1, h, PIX_SRC, pix, j - 1, 0);
+             }
+         }
+-        pixDestroy(&pixt);
+     }
+     if (w > nx) {  /* replicate the last column */
+         for (i = 0; i < h; i++) {
--- a/CVE-2020-36280.patch
+++ b/CVE-2020-36280.patch
@ -0,0 +1,50 @@
+From 5ba34b1fe741d69d43a6c8cf767756997eadd87c Mon Sep 17 00:00:00 2001
+From: Dan Bloomberg <dan.bloomberg@gmail.com>
+Date: Mon, 22 Jun 2020 23:02:43 -0700
+Subject: [PATCH] Issue 23654 in oss-fuzz: Heap-buffer-overflow in
+ pixReadFromTiffStream   * Increase scanline buffer for reading gray+alpha and
+ converting to RGBA
+
+---
+ prog/dewarptest1.c | 4 ++--
+ src/tiffio.c       | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/prog/dewarptest1.c b/prog/dewarptest1.c
+index f81ff14..4da9ba5 100644
+--- a/prog/dewarptest1.c
+++ b/prog/dewarptest1.c
+@@ -52,6 +52,8 @@ PIX        *pixs2, *pixn2, *pixg2, *pixb2, *pixd2;
+ 
+     setLeptDebugOK(1);
+     lept_mkdir("lept/model");
+    lept_rmdir("lept/dewmod");
+    lept_mkdir("lept/dewmod");
+ 
+ /*    pixs = pixRead("1555.007.jpg"); */
+     pixs = pixRead("cat.035.jpg");
+@@ -160,8 +162,6 @@ PIX        *pixs2, *pixn2, *pixg2, *pixb2, *pixd2;
+                       "/tmp/lept/dewarptest1.pdf");
+     fprintf(stderr, "pdf file made: /tmp/lept/model/dewarptest1.pdf\n");
+ 
+-    lept_rmdir("lept/dewmod");
+-    lept_rmdir("lept/dewtest");
+     pixDestroy(&pixs);
+     pixDestroy(&pixn);
+     pixDestroy(&pixg);
+diff --git a/src/tiffio.c b/src/tiffio.c
+index 9c781ec..26fc561 100644
+--- a/src/tiffio.c
+++ b/src/tiffio.c
+@@ -572,7 +572,7 @@ PIXCMAP   *cmap;
+     } else if (spp == 2 && bps == 8) {  /* gray plus alpha */
+         L_INFO("gray+alpha is not supported; converting to RGBA\n", procName);
+         pixSetSpp(pix, 4);
+-        linebuf = (l_uint8 *)LEPT_CALLOC(tiffbpl + 1, sizeof(l_uint8));
+        linebuf = (l_uint8 *)LEPT_CALLOC(2 * tiffbpl + 1, sizeof(l_uint8));
+         pixdata = pixGetData(pix);
+         for (i = 0; i < h; i++) {
+             if (TIFFReadScanline(tif, linebuf, i, 0) < 0) {
+-- 
+2.27.0
+
--- a/CVE-2020-36281.patch
+++ b/CVE-2020-36281.patch
@ -0,0 +1,35 @@
+From 5ee24b398bb67666f6d173763eaaedd9c36fb1e5 Mon Sep 17 00:00:00 2001
+From: Dan Bloomberg <dan.bloomberg@gmail.com>
+Date: Mon, 11 May 2020 11:17:30 -0700
+Subject: [PATCH] Fixed issue 22140 in oss-fuzz: Heap-buffer-overflow * color
+ quantized pix must be 8 bpp before extra colors are added.
+
+---
+ src/colorquant1.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/colorquant1.c b/src/colorquant1.c
+index 52ddd386..c7a817d6 100644
+--- a/src/colorquant1.c
+++ b/src/colorquant1.c
+@@ -3315,7 +3315,7 @@ l_int32    i, j, w, h, wplc, wplm, wpld, ncolors, index;
+ l_int32    rval, gval, bval, val, minval, maxval;
+ l_int32   *lut;
+ l_uint32  *datac, *datam, *datad, *linec, *linem, *lined;
+-PIX       *pixc, *pixm, *pixg, *pixd;
+PIX       *pix1, *pixc, *pixm, *pixg, *pixd;
+ PIXCMAP   *cmap, *cmapd;
+ 
+     PROCNAME("pixFewColorsOctcubeQuantMixed");
+@@ -3332,8 +3332,10 @@ PIXCMAP   *cmap, *cmapd;
+     if (maxspan <= 2) maxspan = 15;
+ 
+         /* Start with a simple fixed octcube quantizer. */
+-    if ((pixc = pixFewColorsOctcubeQuant1(pixs, level)) == NULL)
+    if ((pix1 = pixFewColorsOctcubeQuant1(pixs, level)) == NULL)
+         return (PIX *)ERROR_PTR("too many colors", procName, NULL);
+    pixc = pixConvertTo8(pix1, 1);  /* must be 8 bpp */
+    pixDestroy(&pix1);
+ 
+         /* Identify and save color entries in the colormap.  Set up a LUT
+          * that returns -1 for any gray pixel. */
--- a/leptonica.spec
+++ b/leptonica.spec
@ -1,10 +1,16 @@
 Name:                leptonica
 Version:             1.79.0
-Release:             1
+Release:             2
 Summary:             C library for efficient image processing and image analysis operations
 License:             Leptonica
 URL:                 https://github.com/danbloomberg/leptonica
 Source0:             https://github.com/DanBloomberg/leptonica/archive/%{version}/%{name}-%{version}.tar.gz
+Patch0:              CVE-2020-36277.patch
+Patch1:              CVE-2020-36278.patch
+Patch2:              CVE-2020-36279.patch
+Patch3:              CVE-2020-36280.patch
+Patch4:              CVE-2020-36281.patch
+
 BuildRequires:       gcc automake autoconf libtool giflib-devel libjpeg-devel libpng-devel
 BuildRequires:       libtiff-devel libwebp-devel zlib-devel
 BuildRequires:       gnuplot
@ -71,6 +77,9 @@ make check VERBOSE=1
 %{_bindir}/*

 %changelog
+* Thu Aug 12 2021 yaoxin <yaoxin30@huawei.com> - 1.79.0-2
+- Fix CVE-2020-36277 CVE-2020-36278 CVE-2020-36279 CVE-2020-36280 CVE-2020-36281
+
 * Thu May 6 2021 baizhonggui <baizhonggui@huawei.com> - 1.79.0-1
 - update to 1.79.0