diff --git a/CVE-2020-36277.patch b/CVE-2020-36277.patch new file mode 100644 index 0000000..28ab62c --- /dev/null +++ b/CVE-2020-36277.patch @@ -0,0 +1,56 @@ +From 3ddd9a35cebc28f2b1a5693c27dcfff58218674a Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Sun, 3 May 2020 16:14:20 +0200 +Subject: [PATCH] Fix heap buffer overflow in selReadStream + +selio_reg triggers a heap buffer overflow when sscanf tries to write 201 bytes into a 24 byte string. +It can be detected when the code is compiled with the address sanitizer: + + ==19856==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000001288 at pc 0x00000044462b bp 0x7fffffffddf0 sp 0x7fffffffd5a0 + WRITE of size 201 at 0x603000001288 thread T0 + 0x603000001288 is located 0 bytes to the right of 24-byte region [0x603000001270,0x603000001288) + +Signed-off-by: Stefan Weil +--- + src/sel1.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/src/sel1.c b/src/sel1.c +index 9c6ccf1e..5f61570b 100644 +--- a/src/sel1.c ++++ b/src/sel1.c +@@ -1418,7 +1418,7 @@ SEL *sel; + SEL * + selReadStream(FILE *fp) + { +-char *selname; ++char selname[256]; + char linebuf[256]; + l_int32 sy, sx, cy, cx, i, j, version, ignore; + SEL *sel; +@@ -1435,17 +1435,14 @@ SEL *sel; + + if (fgets(linebuf, sizeof(linebuf), fp) == NULL) + return (SEL *)ERROR_PTR("error reading into linebuf", procName, NULL); +- selname = stringNew(linebuf); + sscanf(linebuf, " ------ %200s ------", selname); + + if (fscanf(fp, " sy = %d, sx = %d, cy = %d, cx = %d\n", + &sy, &sx, &cy, &cx) != 4) { +- LEPT_FREE(selname); + return (SEL *)ERROR_PTR("dimensions not read", procName, NULL); + } + + if ((sel = selCreate(sy, sx, selname)) == NULL) { +- LEPT_FREE(selname); + return (SEL *)ERROR_PTR("sel not made", procName, NULL); + } + selSetOrigin(sel, cy, cx); +@@ -1458,7 +1455,6 @@ SEL *sel; + } + ignore = fscanf(fp, "\n"); + +- LEPT_FREE(selname); + return sel; + } + diff --git a/CVE-2020-36278.patch b/CVE-2020-36278.patch new file mode 100644 index 0000000..911a3b2 --- /dev/null +++ b/CVE-2020-36278.patch @@ -0,0 +1,23 @@ +From 8d6e1755518cfb98536d6c3daf0601f226d16842 Mon Sep 17 00:00:00 2001 +From: Dan Bloomberg +Date: Sun, 14 Jun 2020 22:52:40 -0700 +Subject: [PATCH] Issue 23433 in oss-fuzz: Heap-buffer-overflow in + findNextBorderPixel() * Check pix boundary when looking for the next pixel. + +--- + src/ccbord.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/ccbord.c b/src/ccbord.c +index c6237025..4e6363e2 100644 +--- a/src/ccbord.c ++++ b/src/ccbord.c +@@ -1090,6 +1090,8 @@ l_uint32 *line; + pos = (qpos + i) % 8; + npx = px + xpostab[pos]; + npy = py + ypostab[pos]; ++ if (npx < 0 || npx >= w || npy < 0 || npy >= h) ++ continue; + line = data + npy * wpl; + val = GET_DATA_BIT(line, npx); + if (val) { diff --git a/CVE-2020-36279.patch b/CVE-2020-36279.patch new file mode 100644 index 0000000..396661e --- /dev/null +++ b/CVE-2020-36279.patch @@ -0,0 +1,101 @@ +From 3c18c43b6a3f753f0dfff99610d46ad46b8bfac4 Mon Sep 17 00:00:00 2001 +From: Dan Bloomberg +Date: Tue, 26 May 2020 22:24:40 -0700 +Subject: [PATCH] Fixing oss-fuzz issue 22512: Heap-buffer-overflow in + rasteropGeneralLow() * Simplified the hole-filling function ` + +--- + prog/adaptmap_reg.c | 25 +++++++++++++++++++++++-- + src/adaptmap.c | 12 +++--------- + 2 files changed, 26 insertions(+), 11 deletions(-) + +diff --git a/prog/adaptmap_reg.c b/prog/adaptmap_reg.c +index 65309770..ef8dbfd3 100644 +--- a/prog/adaptmap_reg.c ++++ b/prog/adaptmap_reg.c +@@ -57,7 +57,7 @@ int main(int argc, + l_int32 w, h; + PIX *pixs, *pixg, *pixim, *pixgm, *pixmi, *pix1, *pix2; + PIX *pixmr, *pixmg, *pixmb, *pixmri, *pixmgi, *pixmbi; +-PIXA *pixa; ++PIXA *pixa, *pixa2; + L_REGPARAMS *rp; + + if (regTestSetup(argc, argv, &rp)) +@@ -159,10 +159,31 @@ L_REGPARAMS *rp; + pixaAddPix(pixa, pix2, L_INSERT); + pixDestroy(&pixim); + ++ /* Check pixFillMapHoles() */ ++ pixa2 = pixaCreate(3); ++ pix1 = pixRead("weasel8.png"); /* use this as the map */ ++ pixGammaTRC(pix1, pix1, 1.0, 0, 270); /* darken white pixels */ ++ pixaAddPix(pixa2, pix1, L_COPY); ++ pixGetDimensions(pix1, &w, &h, NULL); ++ pixRasterop(pix1, 0, 0, 5, h, PIX_SET, NULL, 0, 0); /* add white holes */ ++ pixRasterop(pix1, 20, 0, 2, h, PIX_SET, NULL, 0, 0); ++ pixRasterop(pix1, 40, 0, 3, h, PIX_SET, NULL, 0, 0); ++ pixRasterop(pix1, 0, 0, w, 3, PIX_SET, NULL, 0, 0); ++ pixRasterop(pix1, 0, 15, w, 3, PIX_SET, NULL, 0, 0); ++ pixRasterop(pix1, 0, 35, w, 2, PIX_SET, NULL, 0, 0); ++ pixaAddPix(pixa2, pix1, L_COPY); ++ pixFillMapHoles(pix1, w, h, L_FILL_WHITE); ++ pixaAddPix(pixa2, pix1, L_INSERT); ++ pix2 = pixaDisplayTiledInColumns(pixa2, 3, 1.0, 20, 1); ++ regTestWritePixAndCheck(rp, pix2, IFF_PNG); /* 14 */ ++ pixDisplayWithTitle(pix2, 50, 850, NULL, rp->display); ++ pixaDestroy(&pixa2); ++ pixDestroy(&pix2); ++ + /* Display results */ + pix1 = pixaDisplayTiledAndScaled(pixa, 32, 400, 4, 0, 20, 2); + pixWrite("/tmp/lept/adapt/results.jpg", pix1, IFF_JFIF_JPEG); +- pixDisplayWithTitle(pix1, 100, 0, NULL, rp->display); ++ pixDisplayWithTitle(pix1, 50, 0, NULL, rp->display); + pixDestroy(&pix1); + pixaDestroy(&pixa); + +diff --git a/src/adaptmap.c b/src/adaptmap.c +index 634be33b..4f5ec4b6 100644 +--- a/src/adaptmap.c ++++ b/src/adaptmap.c +@@ -1470,7 +1470,6 @@ pixFillMapHoles(PIX *pix, + l_int32 w, h, y, nmiss, goodcol, i, j, found, ival, valtest; + l_uint32 val, lastval; + NUMA *na; /* indicates if there is any data in the column */ +-PIX *pixt; + + PROCNAME("pixFillMapHoles"); + +@@ -1522,7 +1521,6 @@ PIX *pixt; + + /* ---------- Fill in missing columns by replication ----------- */ + if (nmiss > 0) { /* replicate columns */ +- pixt = pixCopy(NULL, pix); + /* Find the first good column */ + goodcol = 0; + for (j = 0; j < w; j++) { +@@ -1533,20 +1531,16 @@ PIX *pixt; + } + } + if (goodcol > 0) { /* copy cols backward */ +- for (j = goodcol - 1; j >= 0; j--) { +- pixRasterop(pix, j, 0, 1, h, PIX_SRC, pixt, j + 1, 0); +- pixRasterop(pixt, j, 0, 1, h, PIX_SRC, pix, j, 0); +- } ++ for (j = goodcol - 1; j >= 0; j--) ++ pixRasterop(pix, j, 0, 1, h, PIX_SRC, pix, j + 1, 0); + } + for (j = goodcol + 1; j < w; j++) { /* copy cols forward */ + numaGetIValue(na, j, &ival); + if (ival == 0) { + /* Copy the column to the left of j */ +- pixRasterop(pix, j, 0, 1, h, PIX_SRC, pixt, j - 1, 0); +- pixRasterop(pixt, j, 0, 1, h, PIX_SRC, pix, j, 0); ++ pixRasterop(pix, j, 0, 1, h, PIX_SRC, pix, j - 1, 0); + } + } +- pixDestroy(&pixt); + } + if (w > nx) { /* replicate the last column */ + for (i = 0; i < h; i++) { diff --git a/CVE-2020-36280.patch b/CVE-2020-36280.patch new file mode 100644 index 0000000..f92d870 --- /dev/null +++ b/CVE-2020-36280.patch @@ -0,0 +1,50 @@ +From 5ba34b1fe741d69d43a6c8cf767756997eadd87c Mon Sep 17 00:00:00 2001 +From: Dan Bloomberg +Date: Mon, 22 Jun 2020 23:02:43 -0700 +Subject: [PATCH] Issue 23654 in oss-fuzz: Heap-buffer-overflow in + pixReadFromTiffStream * Increase scanline buffer for reading gray+alpha and + converting to RGBA + +--- + prog/dewarptest1.c | 4 ++-- + src/tiffio.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/prog/dewarptest1.c b/prog/dewarptest1.c +index f81ff14..4da9ba5 100644 +--- a/prog/dewarptest1.c ++++ b/prog/dewarptest1.c +@@ -52,6 +52,8 @@ PIX *pixs2, *pixn2, *pixg2, *pixb2, *pixd2; + + setLeptDebugOK(1); + lept_mkdir("lept/model"); ++ lept_rmdir("lept/dewmod"); ++ lept_mkdir("lept/dewmod"); + + /* pixs = pixRead("1555.007.jpg"); */ + pixs = pixRead("cat.035.jpg"); +@@ -160,8 +162,6 @@ PIX *pixs2, *pixn2, *pixg2, *pixb2, *pixd2; + "/tmp/lept/dewarptest1.pdf"); + fprintf(stderr, "pdf file made: /tmp/lept/model/dewarptest1.pdf\n"); + +- lept_rmdir("lept/dewmod"); +- lept_rmdir("lept/dewtest"); + pixDestroy(&pixs); + pixDestroy(&pixn); + pixDestroy(&pixg); +diff --git a/src/tiffio.c b/src/tiffio.c +index 9c781ec..26fc561 100644 +--- a/src/tiffio.c ++++ b/src/tiffio.c +@@ -572,7 +572,7 @@ PIXCMAP *cmap; + } else if (spp == 2 && bps == 8) { /* gray plus alpha */ + L_INFO("gray+alpha is not supported; converting to RGBA\n", procName); + pixSetSpp(pix, 4); +- linebuf = (l_uint8 *)LEPT_CALLOC(tiffbpl + 1, sizeof(l_uint8)); ++ linebuf = (l_uint8 *)LEPT_CALLOC(2 * tiffbpl + 1, sizeof(l_uint8)); + pixdata = pixGetData(pix); + for (i = 0; i < h; i++) { + if (TIFFReadScanline(tif, linebuf, i, 0) < 0) { +-- +2.27.0 + diff --git a/CVE-2020-36281.patch b/CVE-2020-36281.patch new file mode 100644 index 0000000..d3ef854 --- /dev/null +++ b/CVE-2020-36281.patch @@ -0,0 +1,35 @@ +From 5ee24b398bb67666f6d173763eaaedd9c36fb1e5 Mon Sep 17 00:00:00 2001 +From: Dan Bloomberg +Date: Mon, 11 May 2020 11:17:30 -0700 +Subject: [PATCH] Fixed issue 22140 in oss-fuzz: Heap-buffer-overflow * color + quantized pix must be 8 bpp before extra colors are added. + +--- + src/colorquant1.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/colorquant1.c b/src/colorquant1.c +index 52ddd386..c7a817d6 100644 +--- a/src/colorquant1.c ++++ b/src/colorquant1.c +@@ -3315,7 +3315,7 @@ l_int32 i, j, w, h, wplc, wplm, wpld, ncolors, index; + l_int32 rval, gval, bval, val, minval, maxval; + l_int32 *lut; + l_uint32 *datac, *datam, *datad, *linec, *linem, *lined; +-PIX *pixc, *pixm, *pixg, *pixd; ++PIX *pix1, *pixc, *pixm, *pixg, *pixd; + PIXCMAP *cmap, *cmapd; + + PROCNAME("pixFewColorsOctcubeQuantMixed"); +@@ -3332,8 +3332,10 @@ PIXCMAP *cmap, *cmapd; + if (maxspan <= 2) maxspan = 15; + + /* Start with a simple fixed octcube quantizer. */ +- if ((pixc = pixFewColorsOctcubeQuant1(pixs, level)) == NULL) ++ if ((pix1 = pixFewColorsOctcubeQuant1(pixs, level)) == NULL) + return (PIX *)ERROR_PTR("too many colors", procName, NULL); ++ pixc = pixConvertTo8(pix1, 1); /* must be 8 bpp */ ++ pixDestroy(&pix1); + + /* Identify and save color entries in the colormap. Set up a LUT + * that returns -1 for any gray pixel. */ diff --git a/leptonica.spec b/leptonica.spec index abde3d5..1b8b121 100644 --- a/leptonica.spec +++ b/leptonica.spec @@ -1,10 +1,16 @@ Name: leptonica Version: 1.79.0 -Release: 1 +Release: 2 Summary: C library for efficient image processing and image analysis operations License: Leptonica URL: https://github.com/danbloomberg/leptonica Source0: https://github.com/DanBloomberg/leptonica/archive/%{version}/%{name}-%{version}.tar.gz +Patch0: CVE-2020-36277.patch +Patch1: CVE-2020-36278.patch +Patch2: CVE-2020-36279.patch +Patch3: CVE-2020-36280.patch +Patch4: CVE-2020-36281.patch + BuildRequires: gcc automake autoconf libtool giflib-devel libjpeg-devel libpng-devel BuildRequires: libtiff-devel libwebp-devel zlib-devel BuildRequires: gnuplot @@ -71,6 +77,9 @@ make check VERBOSE=1 %{_bindir}/* %changelog +* Thu Aug 12 2021 yaoxin - 1.79.0-2 +- Fix CVE-2020-36277 CVE-2020-36278 CVE-2020-36279 CVE-2020-36280 CVE-2020-36281 + * Thu May 6 2021 baizhonggui - 1.79.0-1 - update to 1.79.0