From 6715f997836e8fc8205c8ee6657dcb6084bca1e1 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Fri, 13 Sep 2019 03:52:20 -0500
Subject: user/evince: [CVE] patch CVE-2019-11459 (#148)

---
 user/evince/APKBUILD             | 15 +++++----
 user/evince/CVE-2019-11459.patch | 72 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 6 deletions(-)
 create mode 100644 user/evince/CVE-2019-11459.patch

(limited to 'user/evince')

diff --git a/user/evince/APKBUILD b/user/evince/APKBUILD
index a98bf2cf9..ea6b66231 100644
--- a/user/evince/APKBUILD
+++ b/user/evince/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=evince
 pkgver=3.32.0
-pkgrel=1
+pkgrel=2
 pkgdesc="GNOME document viewer"
 url="https://wiki.gnome.org/Apps/Evince"
 arch="all"
@@ -14,10 +14,14 @@ makedepends="djvulibre-dev glib-dev gobject-introspection-dev
 	libsecret-dev libspectre-dev libxml2-dev libxml2-utils poppler-dev
 	tiff-dev zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
-source="https://ftp.gnome.org/pub/gnome/sources/evince/3.32/evince-$pkgver.tar.xz"
+source="https://ftp.gnome.org/pub/gnome/sources/evince/3.32/evince-$pkgver.tar.xz
+	CVE-2019-11459.patch"
+
+# secfixes:
+#   3.32.0-r2:
+#     - CVE-2019-11459
 
 build() {
-	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -65,13 +69,12 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	make check
 }
 
 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="565298a200d9ae2f6b4cb53c3cba0d0d0e4cfbef60e4145bfb9c82a5682947ceb2371e52c27179cd69a238cd387bcfd744d3c55df814b6347f07781aec3ea658  evince-3.32.0.tar.xz"
+sha512sums="565298a200d9ae2f6b4cb53c3cba0d0d0e4cfbef60e4145bfb9c82a5682947ceb2371e52c27179cd69a238cd387bcfd744d3c55df814b6347f07781aec3ea658  evince-3.32.0.tar.xz
+ebb8e2e0b2754d4634c99fda7669171e97b583dfbcd383682b70eb36ce816f1bcf1c2cb81b4ffbfac86db891d9f63bd0c2d90ff9ca3838c64a258b6a0002f7c4  CVE-2019-11459.patch"
diff --git a/user/evince/CVE-2019-11459.patch b/user/evince/CVE-2019-11459.patch
new file mode 100644
index 000000000..b331a0c30
--- /dev/null
+++ b/user/evince/CVE-2019-11459.patch
@@ -0,0 +1,72 @@
+From 234f034a4d15cd46dd556f4945f99fbd57ef5f15 Mon Sep 17 00:00:00 2001
+From: Jason Crain <jcrain@src.gnome.org>
+Date: Mon, 15 Apr 2019 23:06:36 -0600
+Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
+
+The TIFFReadRGBAImageOriented function returns zero if it was unable to
+read the image. Return NULL in this case instead of displaying
+uninitialized memory.
+
+Fixes #1129
+---
+ backend/tiff/tiff-document.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
+index 7715031b..38bb3bd8 100644
+--- a/backend/tiff/tiff-document.c
++++ b/backend/tiff/tiff-document.c
+@@ -292,18 +292,22 @@ tiff_document_render (EvDocument      *document,
+ 		g_warning("Failed to allocate memory for rendering.");
+ 		return NULL;
+ 	}
+-	
++
++	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++					width, height,
++					(uint32 *)pixels,
++					orientation, 0)) {
++		g_warning ("Failed to read TIFF image.");
++		g_free (pixels);
++		return NULL;
++	}
++
+ 	surface = cairo_image_surface_create_for_data (pixels,
+ 						       CAIRO_FORMAT_RGB24,
+ 						       width, height,
+ 						       rowstride);
+ 	cairo_surface_set_user_data (surface, &key,
+ 				     pixels, (cairo_destroy_func_t)g_free);
+-
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   orientation, 0);
+ 	pop_handlers ();
+ 
+ 	/* Convert the format returned by libtiff to
+@@ -384,13 +388,17 @@ tiff_document_get_thumbnail (EvDocument      *document,
+ 	if (!pixels)
+ 		return NULL;
+ 	
++	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
++					width, height,
++					(uint32 *)pixels,
++					ORIENTATION_TOPLEFT, 0)) {
++		g_free (pixels);
++		return NULL;
++	}
++
+ 	pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, 
+ 					   width, height, rowstride,
+ 					   (GdkPixbufDestroyNotify) g_free, NULL);
+-	TIFFReadRGBAImageOriented (tiff_document->tiff,
+-				   width, height,
+-				   (uint32 *)pixels,
+-				   ORIENTATION_TOPLEFT, 0);
+ 	pop_handlers ();
+ 
+ 	ev_render_context_compute_scaled_size (rc, width, height * (x_res / y_res),
+-- 
+2.21.0
+
-- 
cgit v1.2.3-60-g2f50