Fix CVE-2021-25786

(cherry picked from commit 38a3b8345108922adf27f613a83a14d5a4bdb655)
2023-08-21 14:12:40 +08:00 · 2023-08-21 14:12:40 +08:00 · 7fe7aff7cf
commit 7fe7aff7cf
parent eb503dd1e6
2 changed files with 92 additions and 1 deletions
--- a/CVE-2021-25786.patch
+++ b/CVE-2021-25786.patch
@ -0,0 +1,85 @@
+From 74e00158f5da252b7f8e75e33dd9393f3ac6d3ef Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 21 Aug 2023 11:02:15 +0800
+Subject: [PATCH 1/1] Fix some pipelines to be safe if downstream write fails (fuzz
+ issue 28262)
+
+Origin:
+https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5
+---
+ libqpdf/Pl_AES_PDF.cc         | 2 +-
+ libqpdf/Pl_ASCII85Decoder.cc  | 7 +++++--
+ libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
+ libqpdf/Pl_Count.cc           | 2 +-
+ 4 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
+index 5c493cb..64c9f15 100644
+--- a/libqpdf/Pl_AES_PDF.cc
+++ b/libqpdf/Pl_AES_PDF.cc
+@@ -260,6 +260,6 @@ Pl_AES_PDF::flush(bool strip_padding)
+ 	    }
+ 	}
+     }
+-    getNext()->write(this->outbuf, bytes);
+     this->offset = 0;
+    getNext()->write(this->outbuf, bytes);
+ }
+diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
+index 3a3b57b..4c888ee 100644
+--- a/libqpdf/Pl_ASCII85Decoder.cc
+++ b/libqpdf/Pl_ASCII85Decoder.cc
+@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
+ 
+     QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
+ 	    (this->pos == 5) ? 0 : 1);
+-    getNext()->write(outbuf, this->pos - 1);
+-
+    // Reset before calling getNext()->write in case that throws an
+    // exception.
+    auto t = this->pos - 1;
+     this->pos = 0;
+     memset(this->inbuf, 117, 5);
+
+    getNext()->write(outbuf, t);
+ }
+ 
+ void
+diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
+index d6acab2..6855a25 100644
+--- a/libqpdf/Pl_ASCIIHexDecoder.cc
+++ b/libqpdf/Pl_ASCIIHexDecoder.cc
+@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
+ 
+     QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
+ 	    (this->pos == 2) ? 0 : 1);
+-    getNext()->write(&ch, 1);
+-
+    // Reset before calling getNext()->write in case that throws an
+    // exception.
+     this->pos = 0;
+     this->inbuf[0] = '0';
+     this->inbuf[1] = '0';
+     this->inbuf[2] = '\0';
+
+    getNext()->write(&ch, 1);
+ }
+ 
+ void
+diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
+index c76a5e2..6dec58a 100644
+--- a/libqpdf/Pl_Count.cc
+++ b/libqpdf/Pl_Count.cc
+@@ -17,8 +17,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
+     if (len)
+     {
+ 	this->count += len;
+-	getNext()->write(buf, len);
+ 	this->last_char = buf[len - 1];
+	getNext()->write(buf, len);
+     }
+ }
+ 
+-- 
+2.30.0
+
--- a/qpdf.spec
+++ b/qpdf.spec
@ -1,6 +1,6 @@
 Name:           qpdf
 Version:        8.4.2
-Release:        3
+Release:        4
 Summary:        A command-line program to transform PDF files
 License:        (Artistic 2.0 or ASL 2.0) and MIT
 URL:            http://qpdf.sourceforge.net/
@ -8,6 +8,8 @@ Source0:        http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version

 Patch0000:      qpdf-doc.patch
 Patch0001:      qpdf-erase-tests-with-generated-object-stream.patch
+# https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5
+Patch0002:      CVE-2021-25786.patch

 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-turbo-devel pcre-devel
 BuildRequires:  perl-interpreter perl-generators perl(Digest::MD5)
@ -42,6 +44,7 @@ This package contains some man help and other files for %{name}.
 %prep
 %setup 
 %patch0000 -p1 
+%patch0002 -p1
 %ifarch aarch64
 %patch0001 -p1
 %endif
@ -84,6 +87,9 @@ make check
 %{_mandir}/man1/*

 %changelog
+* Mon Aug 21 2023 yaoxin <yao_xin001@hoperun.com> - 8.4.2-4
+- Fix CVE-2021-25786
+
 * Tue Nov 29 2022 Ge Wang <wangge20@h-partners.com> - 8.4.2-3
 - fix missing patch when get src package from x86 architecture