Lifted from SUSE: backport of two upstream commits https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e https://sourceforge.net/p/djvu/djvulibre-git/ci/89d71b01d606e57ecec2c2930c145bb20ba5bbe3 https://bugzilla.suse.com/show_bug.cgi?id=1146702#c3 https://build.opensuse.org/package/view_file/graphics/djvulibre/djvulibre-CVE-2019-15142.patch Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp =================================================================== --- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200 +++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200 @@ -300,36 +300,44 @@ DjVmDir::decode(const GP &gs memcpy((char*) strings+strings_size, buffer, length); } DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); - - // Copy names into the files + int strings_size=strings.size(); + strings.resize(strings_size+3); + memset((char*) strings+strings_size, 0, 4); + + // Copy names into the files const char * ptr=strings; for(pos=files_list;pos;++pos) { GP file=files_list[pos]; - + if (ptr >= (const char*)strings + strings_size) + G_THROW( "DjVu document is corrupted (DjVmDir)" ); file->id=ptr; ptr+=file->id.length()+1; if (file->flags & File::HAS_NAME) { - file->name=ptr; - ptr+=file->name.length()+1; - } else + file->name=ptr; + ptr+=file->name.length()+1; + } + else { file->name=file->id; } if (file->flags & File::HAS_TITLE) { - file->title=ptr; - ptr+=file->title.length()+1; - } else - file->title=file->id; - /* msr debug: multipage file, file->title is null. + file->title=ptr; + ptr+=file->title.length()+1; + } + else + { + file->title=file->id; + } + /* msr debug: multipage file, file->title is null. DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << file->offset << ", " << file->size << ", " << file->is_page() << "\n"); */ } - // Check that there is only one file with SHARED_ANNO flag on + // Check that there is only one file with SHARED_ANNO flag on int shared_anno_cnt=0; for(pos=files_list;pos;++pos) { Index: djvulibre-3.5.27/libdjvu/miniexp.cpp =================================================================== --- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100 +++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200 @@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i { if (char_quoted(c, flags)) { - char buffer[10]; + char buffer[16]; /* 10+1 */ static const char *tr1 = "\"\\tnrbf"; static const char *tr2 = "\"\\\t\n\r\b\f"; buffer[0] = buffer[1] = 0; Index: djvulibre-3.5.27/tools/csepdjvu.cpp =================================================================== --- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200 +++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200 @@ -1814,7 +1814,7 @@ main(int argc, const char **argv) ByteStream::create(GURL::Filename::UTF8(arg),"rb"); BufferByteStream ibs(*fbs); do { - char pagename[16]; + char pagename[20]; sprintf(pagename, "p%04d.djvu", ++pageno); if (opts.verbose > 1) DjVuPrintErrorUTF8("%s","--------------------\n");