pool/djvulibre
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 858983 from graphics

Browse Source 
- Update to version 3.5.28
  * ddjvu: tiff generation improvements
  * djvumake: security checks on INCL chunks
  * all: updated for modern compilers
  * bugs: fixed several crashes on invalid inputs
  * miniexp: fixed escape printout and macrochars
  * djvudigital: can use poppler to find text
  * csepdjvu: handle T comments for page titles
  * bytestream: fixed 2GB limit
  * gexception, gthread: cleanup obsolete code
- Drop patches incorporated or otherwise fixed upstream:
  * djvulibre-invalid-tiff.patch
  * djvulibre-CVE-2019-15144.patch
  * djvulibre-CVE-2019-15145.patch
  * djvulibre-CVE-2019-18804.patch
  * djvulibre-CVE-2019-15143.patch
  * djvulibre-always-assume-that-cpuid-works-on-x86_64.patch
  * djvulibre-CVE-2019-15142.patch
  * reproducible.patch
- Only run post(un) scriptlets for desktop database update for
  openSUSE < 1550, these are void otherwise.
- Regenerate configure script as it is no longer supplied with
  tarball; add BuildRequires: libtool.
- Adapt file list for mime file no longer being installed (this is
  intentional from upstream); accordingly drop shared-mime-info
  BuildRequires and post(un) scripts.

OBS-URL: https://build.opensuse.org/request/show/858983
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/djvulibre?expand=0&rev=40
This commit is contained in:
Dominique Leuenberger 2020-12-30 16:11:15 +00:00 committed by Git OBS Bridge
commit 3f224dfc29
12 changed files with 44 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
djvulibre-3.5.27.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e69668252565603875fb88500cde02bf93d12d48a3884e472696c896e81f505f
size 3648522

3
djvulibre-3.5.28.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:82e392a9cccfee94fa604126c67f06dbc43ed5f9f0905d15b6c8164f83ed5655
size 3262159

87
djvulibre-CVE-2019-15142.patch
View File

@ -1,87 +0,0 @@
Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp
===================================================================
--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200
+++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200
@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
memcpy((char*) strings+strings_size, buffer, length);
}
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
-
- // Copy names into the files
+ int strings_size=strings.size();
+ strings.resize(strings_size+3);
+ memset((char*) strings+strings_size, 0, 4);
+
+ // Copy names into the files
const char * ptr=strings;
for(pos=files_list;pos;++pos)
{
GP<File> file=files_list[pos];
-
+ if (ptr >= (const char*)strings + strings_size)
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
file->id=ptr;
ptr+=file->id.length()+1;
if (file->flags & File::HAS_NAME)
{
- file->name=ptr;
- ptr+=file->name.length()+1;
- } else
+ file->name=ptr;
+ ptr+=file->name.length()+1;
+ }
+ else
{
file->name=file->id;
}
if (file->flags & File::HAS_TITLE)
{
- file->title=ptr;
- ptr+=file->title.length()+1;
- } else
- file->title=file->id;
- /* msr debug: multipage file, file->title is null.
+ file->title=ptr;
+ ptr+=file->title.length()+1;
+ }
+ else
+ {
+ file->title=file->id;
+ }
+ /* msr debug: multipage file, file->title is null.
DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
file->offset << ", " << file->size << ", " <<
file->is_page() << "\n"); */
}
- // Check that there is only one file with SHARED_ANNO flag on
+ // Check that there is only one file with SHARED_ANNO flag on
int shared_anno_cnt=0;
for(pos=files_list;pos;++pos)
{
Index: djvulibre-3.5.27/libdjvu/miniexp.cpp
===================================================================
--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100
+++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200
@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i
{
if (char_quoted(c, flags))
{
- char buffer[10];
+ char buffer[16]; /* 10+1 */
static const char *tr1 = "\"\\tnrbf";
static const char *tr2 = "\"\\\t\n\r\b\f";
buffer[0] = buffer[1] = 0;
Index: djvulibre-3.5.27/tools/csepdjvu.cpp
===================================================================
--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200
+++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200
@@ -1814,7 +1814,7 @@ main(int argc, const char **argv)
ByteStream::create(GURL::Filename::UTF8(arg),"rb");
BufferByteStream ibs(*fbs);
do {
- char pagename[16];
+ char pagename[20];
sprintf(pagename, "p%04d.djvu", ++pageno);
if (opts.verbose > 1)
DjVuPrintErrorUTF8("%s","--------------------\n");

20
djvulibre-CVE-2019-15143.patch
View File

@ -1,20 +0,0 @@
diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
index 0e487f0..c2fdbe4 100644
--- a/libdjvu/GBitmap.cpp
+++ b/libdjvu/GBitmap.cpp
@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs)
int c = 0;
while (n >= 0)
{
- bs.read(&h, 1);
+ if (bs.read(&h, 1) <= 0)
+ G_THROW( ByteStream::EndOfFile );
int x = h;
if (x >= (int)RUNOVERFLOWVALUE)
{
- bs.read(&h, 1);
+ if (bs.read(&h, 1) <= 0)
+ G_THROW( ByteStream::EndOfFile );
x = h + ((x - (int)RUNOVERFLOWVALUE) << 8);
}
if (c+x > ncolumns)

105
djvulibre-CVE-2019-15144.patch
View File

@ -1,105 +0,0 @@
diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h
index 96b067c..0140211 100644
--- a/libdjvu/GContainer.h
+++ b/libdjvu/GContainer.h
@@ -550,52 +550,61 @@ public:
template <class TYPE> void
GArrayTemplate<TYPE>::sort(int lo, int hi)
{
- if (hi <= lo)
- return;
- if (hi > hibound || lo<lobound)
- G_THROW( ERR_MSG("GContainer.illegal_subscript") );
TYPE *data = (TYPE*)(*this);
- // Test for insertion sort
- if (hi <= lo + 50)
+ while(true)
{
- for (int i=lo+1; i<=hi; i++)
+ if (hi <= lo)
+ return;
+ if (hi > hibound || lo<lobound)
+ G_THROW( ERR_MSG("GContainer.illegal_subscript") );
+ // Test for insertion sort
+ if (hi <= lo + 50)
{
- int j = i;
- TYPE tmp = data[i];
- while ((--j>=lo) && !(data[j]<=tmp))
- data[j+1] = data[j];
- data[j+1] = tmp;
+ for (int i=lo+1; i<=hi; i++)
+ {
+ int j = i;
+ TYPE tmp = data[i];
+ while ((--j>=lo) && !(data[j]<=tmp))
+ data[j+1] = data[j];
+ data[j+1] = tmp;
+ }
+ return;
}
- return;
- }
- // -- determine suitable quick-sort pivot
- TYPE tmp = data[lo];
- TYPE pivot = data[(lo+hi)/2];
- if (pivot <= tmp)
- { tmp = pivot; pivot=data[lo]; }
- if (data[hi] <= tmp)
- { pivot = tmp; }
- else if (data[hi] <= pivot)
- { pivot = data[hi]; }
- // -- partition set
- int h = hi;
- int l = lo;
- while (l < h)
- {
- while (! (pivot <= data[l])) l++;
- while (! (data[h] <= pivot)) h--;
- if (l < h)
+ // -- determine median-of-three pivot
+ TYPE tmp = data[lo];
+ TYPE pivot = data[(lo+hi)/2];
+ if (pivot <= tmp)
+ { tmp = pivot; pivot=data[lo]; }
+ if (data[hi] <= tmp)
+ { pivot = tmp; }
+ else if (data[hi] <= pivot)
+ { pivot = data[hi]; }
+ // -- partition set
+ int h = hi;
+ int l = lo;
+ while (l < h)
{
- tmp = data[l];
- data[l] = data[h];
- data[h] = tmp;
- l = l+1;
- h = h-1;
+ while (! (pivot <= data[l])) l++;
+ while (! (data[h] <= pivot)) h--;
+ if (l < h)
+ {
+ tmp = data[l];
+ data[l] = data[h];
+ data[h] = tmp;
+ l = l+1;
+ h = h-1;
+ }
+ }
+ // -- recurse, small partition first
+ // tail-recursion elimination
+ if (h - lo <= hi - l) {
+ sort(lo,h);
+ lo = l; // sort(l,hi)
+ } else {
+ sort(l,hi);
+ hi = h; // sort(lo,h)
}
}
- // -- recursively restart
- sort(lo, h);
- sort(l, hi);
}
template<class TYPE> inline TYPE&

22
djvulibre-CVE-2019-15145.patch
View File

@ -1,22 +0,0 @@
diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h
index e8e0c9b..ca89a19 100644
--- a/libdjvu/GBitmap.h
+++ b/libdjvu/GBitmap.h
@@ -566,7 +566,7 @@ GBitmap::operator[](int row)
{
if (!bytes)
uncompress();
- if (row<0 || row>=nrows) {
+ if (row<0 || row>=nrows || !bytes) {
#ifndef NDEBUG
if (zerosize < bytes_per_row + border)
G_THROW( ERR_MSG("GBitmap.zero_small") );
@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const
{
if (!bytes)
((GBitmap*)this)->uncompress();
- if (row<0 || row>=nrows) {
+ if (row<0 || row>=nrows || !bytes) {
#ifndef NDEBUG
if (zerosize < bytes_per_row + border)
G_THROW( ERR_MSG("GBitmap.zero_small") );

23
djvulibre-CVE-2019-18804.patch
View File

@ -1,23 +0,0 @@
--- a/libdjvu/IW44EncodeCodec.cpp
+++ a/libdjvu/IW44EncodeCodec.cpp
@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale)
int y = 0;
int s = scale*rowsize;
int s3 = s+s+s;
- h = ((h-1)/scale)+1;
+ h = (h>0) ? ((h-1)/scale)+1 : 0;
y += 1;
p += s;
while (y-3 < h)
--- a/tools/ddjvu.cpp
+++ a/tools/ddjvu.cpp
@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno)
prect.h = (ih * 100) / dpi;
}
/* Process aspect ratio */
- if (flag_aspect <= 0)
+ if (flag_aspect <= 0 && iw>0 && ih>0)
{
double dw = (double)iw / prect.w;
double dh = (double)ih / prect.h;

22
djvulibre-always-assume-that-cpuid-works-on-x86_64.patch
View File

@ -1,22 +0,0 @@
--- a/libdjvu/MMX.cpp
+++ b/libdjvu/MMX.cpp
@@ -169,16 +169,10 @@
#endif
#if defined(MMX) && defined(__GNUC__) && defined(__x86_64__)
// Detection of MMX for GCC
- __asm__ volatile (// Check that CR0:EM is clear
- "xorl %%edx,%%edx\n\t"
- "smsw %%ax\n\t"
- "andl $4,%%eax\n\t"
- "jnz 1f\n\t"
- // Execute CPUID
+ __asm__ volatile (// Execute CPUID
"movl $1,%%eax\n\t"
- "cpuid\n"
- // Finish
- "1:\tmovl %%edx, %0"
+ "cpuid\n\t"
+ "movl %%edx, %0"
: "=m" (cpuflags) :
: "eax","ebx","ecx","edx");
#endif

13
djvulibre-invalid-tiff.patch
View File

@ -1,13 +0,0 @@
diff --git a/tools/cjb2.cpp b/tools/cjb2.cpp
index 3da3ea8..701238d 100644
--- a/tools/cjb2.cpp
+++ b/tools/cjb2.cpp
@@ -744,6 +744,8 @@ read_tiff(CCImage &rimg, ByteStream *bs, cjb2opts &opts)
readproc, writeproc, seekproc,
closeproc, sizeproc,
mapproc, unmapproc );
+ if (! tiff)
+ G_THROW("Tiff image is corrupted (cannot open)");
// bitonal
uint16 bps = 0, spp = 0;
TIFFGetFieldDefaulted(tiff, TIFFTAG_BITSPERSAMPLE, &bps);

30
djvulibre.changes
View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Mon Dec 21 16:26:45 UTC 2020 - Atri Bhattacharya <badshah400@gmail.com>
- Update to version 3.5.28
* ddjvu: tiff generation improvements
* djvumake: security checks on INCL chunks
* all: updated for modern compilers
* bugs: fixed several crashes on invalid inputs
* miniexp: fixed escape printout and macrochars
* djvudigital: can use poppler to find text
* csepdjvu: handle T comments for page titles
* bytestream: fixed 2GB limit
* gexception, gthread: cleanup obsolete code
- Drop patches incorporated or otherwise fixed upstream:
* djvulibre-invalid-tiff.patch
* djvulibre-CVE-2019-15144.patch
* djvulibre-CVE-2019-15145.patch
* djvulibre-CVE-2019-18804.patch
* djvulibre-CVE-2019-15143.patch
* djvulibre-always-assume-that-cpuid-works-on-x86_64.patch
* djvulibre-CVE-2019-15142.patch
* reproducible.patch
- Only run post(un) scriptlets for desktop database update for
openSUSE < 1550, these are void otherwise.
- Regenerate configure script as it is no longer supplied with
tarball; add BuildRequires: libtool.
- Adapt file list for mime file no longer being installed (this is
intentional from upstream); accordingly drop shared-mime-info
BuildRequires and post(un) scripts.
-------------------------------------------------------------------
Fri Nov 8 11:15:02 UTC 2019 - pgajdos@suse.com

46
djvulibre.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package djvulibre
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -20,38 +20,21 @@
%define libname lib%{name}21
Name: djvulibre
Version: 3.5.27
Version: 3.5.28
Release: 0
Summary: An Implementation of DjVu
License: GPL-2.0-or-later
Group: Productivity/Graphics/Other
Url: http://djvu.sourceforge.net
URL: http://djvu.sourceforge.net
Source: http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
# PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/djvu/djvulibre-git/ci/ff8e5b68f856a7fe17c9aa33d0f2220f4ba6b40c/
Patch0: reproducible.patch
# CVE-2019-15143 [bsc#1146569]
Patch1: djvulibre-CVE-2019-15143.patch
# CVE-2019-15144 [bsc#1146571]
Patch2: djvulibre-CVE-2019-15144.patch
# CVE-2019-15145 [bsc#1146572]
Patch3: djvulibre-CVE-2019-15145.patch
# CVE-2019-15142 [bsc#1146702]
Patch4: djvulibre-CVE-2019-15142.patch
# do not segfault when libtiff encounters corrupted TIFF (upstream issue #295)
Patch5: djvulibre-invalid-tiff.patch
# https://sourceforge.net/p/djvu/bugs/293/
Patch6: djvulibre-always-assume-that-cpuid-works-on-x86_64.patch
# CVE-2019-18804 [bsc#1156188]
Patch7: djvulibre-CVE-2019-18804.patch
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: hicolor-icon-theme
BuildRequires: libjpeg-devel
# libtool needed to regenerate missing configure script (v 3.5.28)
BuildRequires: libtool
BuildRequires: pkg-config
BuildRequires: pkgconfig(libtiff-4)
Requires(post): shared-mime-info
Requires(postun): shared-mime-info
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
DjVu is a Web-centric format and software platform for distributing
@ -96,16 +79,10 @@ This package contains the documentation.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
# configure script missing; generate using autogen.sh
NOCONFIGURE=1 ./autogen.sh
%configure \
--disable-silent-rules
%if %{asan_build}
@ -124,15 +101,15 @@ rm %{buildroot}%{_libdir}/libdjvulibre.la
%fdupes %{buildroot}/%{_prefix}
%if 0%{?suse_version} < 1550
%post
%mime_database_post
%icon_theme_cache_post
%post -n %{libname} -p /sbin/ldconfig
%postun
%mime_database_postun
%icon_theme_cache_postun
%endif
%post -n %{libname} -p /sbin/ldconfig
%postun -n %{libname} -p /sbin/ldconfig
@ -143,7 +120,6 @@ rm %{buildroot}%{_libdir}/libdjvulibre.la
%{_datadir}/djvu
%{_bindir}/*
%{_datadir}/icons/hicolor/*
%{_datadir}/mime/packages/djvulibre-mime.xml
%files -n %{libname}
%{_libdir}/libdjvulibre.so.*

26
reproducible.patch
View File

@ -1,26 +0,0 @@
Index: djvulibre-3.5.27/desktopfiles/Makefile.am
===================================================================
--- djvulibre-3.5.27.orig/desktopfiles/Makefile.am
+++ djvulibre-3.5.27/desktopfiles/Makefile.am
@@ -61,7 +61,7 @@ else
endif
svg_process =\
-cat $< | gzip >$@
+cat $< | gzip -n >$@
svg_verbose = $(svg_verbose_@AM_V@)
svg_verbose_ = $(svg_verbose_@AM_DEFAULT_V@)
Index: djvulibre-3.5.27/desktopfiles/Makefile.in
===================================================================
--- djvulibre-3.5.27.orig/desktopfiles/Makefile.in
+++ djvulibre-3.5.27/desktopfiles/Makefile.in
@@ -321,7 +321,7 @@ png_verbose = $(png_verbose_@AM_V@)
png_verbose_ = $(png_verbose_@AM_DEFAULT_V@)
png_verbose_0 = @echo " PNG " $@;
svg_process = \
-cat $< | gzip >$@
+cat $< | gzip -n >$@
svg_verbose = $(svg_verbose_@AM_V@)
svg_verbose_ = $(svg_verbose_@AM_DEFAULT_V@)