Accepting request 1107914 from graphics

- security update
- added patches
  fix CVE-2021-46310 [bsc#1214670], divide by zero in IW44Image.cpp
  + djvulibre-CVE-2021-46310.patch
  fix CVE-2021-46312 [bsc#1214672], divide by zero in IW44EncodeCodec.cpp
  + djvulibre-CVE-2021-46312.patch

OBS-URL: https://build.opensuse.org/request/show/1107914
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/djvulibre?expand=0&rev=45

djvulibre-CVE-2021-46310.patch

@@ -0,0 +1,17 @@
+Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp
+===================================================================
+--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp
++++ djvulibre-3.5.28/libdjvu/IW44Image.cpp
+@@ -676,10 +676,10 @@ IW44Image::Map::image(signed char *img8,
+   // Allocate reconstruction buffer
+   short *data16;
+   size_t sz = bw * bh;
++  if (sz == 0) // bw or bh is zero
++    G_THROW("IW44Image: zero size image (corrupted file?)");
+   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
+-  if (sz == 0)
+-    G_THROW("IW44Image: zero size image (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
+   if (data16 == NULL)
+     G_THROW("IW44Image: unable to allocate image data");

djvulibre-CVE-2021-46312.patch

@@ -0,0 +1,18 @@
+Index: djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp
+===================================================================
+--- djvulibre-3.5.28.orig/libdjvu/IW44EncodeCodec.cpp
++++ djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp
+@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm
+   int h = bm.rows();
+   int g = bm.get_grays()-1;
+   signed char *buffer;
+-  GPBuffer<signed char> gbuffer(buffer,w*h);
++  size_t sz = w * h;
++  if (sz == 0 || g <= 0) // w or h is zero or g is not positive
++    G_THROW("IWBitmap: zero size image (corrupted file?)");
++  if (sz / (size_t)w != (size_t)h) // multiplication overflow
++    G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)");
++  GPBuffer<signed char> gbuffer(buffer,sz);
+   // Prepare gray level conversion table
+   signed char  bconv[256];
+   for (i=0; i<256; i++)

djvulibre.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Aug 29 10:48:49 UTC 2023 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2021-46310 [bsc#1214670], divide by zero in IW44Image.cpp
+  + djvulibre-CVE-2021-46310.patch
+  fix CVE-2021-46312 [bsc#1214672], divide by zero in IW44EncodeCodec.cpp
+  + djvulibre-CVE-2021-46312.patch
+
 -------------------------------------------------------------------
 Wed May  4 09:30:24 UTC 2022 - Marcus Meissner <meissner@suse.com>
 

djvulibre.spec

@@ -37,6 +37,10 @@ Patch2:         djvulibre-CVE-2021-32492.patch
 Patch3:         djvulibre-CVE-2021-32493.patch
 # CVE-2021-3500 [bsc#1186253], Stack overflow in function DJVU:DjVuDocument:get_djvu_file() via crafted djvu file
 Patch4:         djvulibre-CVE-2021-3500.patch
+# CVE-2021-46310 [bsc#1214670], divide by zero in IW44Image.cpp
+Patch5:         djvulibre-CVE-2021-46310.patch
+# CVE-2021-46312 [bsc#1214672], divide by zero in IW44EncodeCodec.cpp
+Patch6:         djvulibre-CVE-2021-46312.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme
@@ -94,6 +98,8 @@ This package contains the documentation.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 %build
 # configure script missing; generate using autogen.sh