1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
Lifted from SUSE: backport of two upstream commits
https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e
https://sourceforge.net/p/djvu/djvulibre-git/ci/89d71b01d606e57ecec2c2930c145bb20ba5bbe3
https://bugzilla.suse.com/show_bug.cgi?id=1146702#c3
https://build.opensuse.org/package/view_file/graphics/djvulibre/djvulibre-CVE-2019-15142.patch
Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp
===================================================================
--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200
+++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200
@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
memcpy((char*) strings+strings_size, buffer, length);
}
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
-
- // Copy names into the files
+ int strings_size=strings.size();
+ strings.resize(strings_size+3);
+ memset((char*) strings+strings_size, 0, 4);
+
+ // Copy names into the files
const char * ptr=strings;
for(pos=files_list;pos;++pos)
{
GP<File> file=files_list[pos];
-
+ if (ptr >= (const char*)strings + strings_size)
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
file->id=ptr;
ptr+=file->id.length()+1;
if (file->flags & File::HAS_NAME)
{
- file->name=ptr;
- ptr+=file->name.length()+1;
- } else
+ file->name=ptr;
+ ptr+=file->name.length()+1;
+ }
+ else
{
file->name=file->id;
}
if (file->flags & File::HAS_TITLE)
{
- file->title=ptr;
- ptr+=file->title.length()+1;
- } else
- file->title=file->id;
- /* msr debug: multipage file, file->title is null.
+ file->title=ptr;
+ ptr+=file->title.length()+1;
+ }
+ else
+ {
+ file->title=file->id;
+ }
+ /* msr debug: multipage file, file->title is null.
DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
file->offset << ", " << file->size << ", " <<
file->is_page() << "\n"); */
}
- // Check that there is only one file with SHARED_ANNO flag on
+ // Check that there is only one file with SHARED_ANNO flag on
int shared_anno_cnt=0;
for(pos=files_list;pos;++pos)
{
Index: djvulibre-3.5.27/libdjvu/miniexp.cpp
===================================================================
--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100
+++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200
@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i
{
if (char_quoted(c, flags))
{
- char buffer[10];
+ char buffer[16]; /* 10+1 */
static const char *tr1 = "\"\\tnrbf";
static const char *tr2 = "\"\\\t\n\r\b\f";
buffer[0] = buffer[1] = 0;
Index: djvulibre-3.5.27/tools/csepdjvu.cpp
===================================================================
--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200
+++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200
@@ -1814,7 +1814,7 @@ main(int argc, const char **argv)
ByteStream::create(GURL::Filename::UTF8(arg),"rb");
BufferByteStream ibs(*fbs);
do {
- char pagename[16];
+ char pagename[20];
sprintf(pagename, "p%04d.djvu", ++pageno);
if (opts.verbose > 1)
DjVuPrintErrorUTF8("%s","--------------------\n");
|
