summaryrefslogblamecommitdiff
path: root/user/djvulibre/CVE-2019-15143.patch
blob: db04087e12e4fbfcd63a4790cd856b9b966635c7 (plain) (tree)












































                                                                      
From b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f Mon Sep 17 00:00:00 2001
From: Leon Bottou <leon@bottou.org>
Date: Tue, 26 Mar 2019 20:45:46 -0400
Subject: [PATCH] fix for bug #297

---
 libdjvu/DjVmDir.cpp | 2 +-
 libdjvu/GBitmap.cpp | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
index 0a0fac6..5a49015 100644
--- a/libdjvu/DjVmDir.cpp
+++ b/libdjvu/DjVmDir.cpp
@@ -309,7 +309,7 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
       {
          GP<File> file=files_list[pos];
          if (ptr >= (const char*)strings + strings_size)
-           G_THROW( "DjVu document is corrupted (DjVmDir)" );
+           G_THROW( ByteStream::EndOfFile );
          file->id=ptr;
          ptr+=file->id.length()+1;
          if (file->flags & File::HAS_NAME)
diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
index 0e487f0..c2fdbe4 100644
--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
   int c = 0;
   while (n >= 0)
     {
-      bs.read(&h, 1);
+      if (bs.read(&h, 1) <= 0)
+        G_THROW( ByteStream::EndOfFile );
       int x = h;
       if (x >= (int)RUNOVERFLOWVALUE)
         {
-          bs.read(&h, 1);
+          if (bs.read(&h, 1) <= 0)
+            G_THROW( ByteStream::EndOfFile );
           x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
         }
       if (c+x > ncolumns)
-- 
2.22.1