- security update

- added patches
  fix CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file
  + djvulibre-CVE-2021-32490.patch
  fix CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file
  + djvulibre-CVE-2021-32491.patch
  fix CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
  + djvulibre-CVE-2021-32492.patch
  fix CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
  + djvulibre-CVE-2021-32493.patch

OBS-URL: https://build.opensuse.org/package/show/graphics/djvulibre?expand=0&rev=38

djvulibre-CVE-2021-32490.patch

@@ -0,0 +1,16 @@
+Index: djvulibre-3.5.28/libdjvu/IW44Image.cpp
+===================================================================
+--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp	2020-11-20 17:57:32.000000000 +0100
++++ djvulibre-3.5.28/libdjvu/IW44Image.cpp	2021-05-11 15:14:54.034421423 +0200
+@@ -678,7 +678,11 @@ IW44Image::Map::image(signed char *img8,
+   size_t sz = bw * bh;
+   if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
+     G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
++  if (sz == 0)
++    G_THROW("IW44Image: zero size image (corrupted file?)");
+   GPBuffer<short> gdata16(data16,sz);
++  if (data16 == NULL)
++    G_THROW("IW44Image: unable to allocate image data");
+   // Copy coefficients
+   int i;
+   short *p = data16;

djvulibre-CVE-2021-32491.patch

@@ -0,0 +1,23 @@
+Index: djvulibre-3.5.28/tools/ddjvu.cpp
+===================================================================
+--- djvulibre-3.5.28.orig/tools/ddjvu.cpp	2020-11-20 17:57:32.000000000 +0100
++++ djvulibre-3.5.28/tools/ddjvu.cpp	2021-05-11 15:14:54.038421444 +0200
+@@ -70,6 +70,7 @@
+ #include <locale.h>
+ #include <fcntl.h>
+ #include <errno.h>
++#include <stdint.h>
+ 
+ #ifdef UNIX
+ # include <sys/time.h>
+@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
+     rowsize = rrect.w;
+   else
+     rowsize = rrect.w * 3; 
+-  if (! (image = (char*)malloc(rowsize * rrect.h)))
++  if ((size_t) rowsize > SIZE_MAX / rrect.h)
++    die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
++  if (! (image = (char*)malloc((size_t) rowsize * rrect.h)))
+     die(i18n("Cannot allocate image buffer for page %d"), pageno);
+ 
+   /* Render */

djvulibre-CVE-2021-32492.patch

@@ -0,0 +1,12 @@
+--- a/libdjvu/DataPool.cpp	
++++ a/libdjvu/DataPool.cpp	
+@@ -791,6 +791,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
+   DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
+   DEBUG_MAKE_INDENT(3);
+ 
++  if (!pool) G_THROW( ERR_MSG("DataPool.zero_DataPool") );
++
+   DataPool *xpool=new DataPool();
+   GP<DataPool> retval=xpool;
+   xpool->init();
+

djvulibre-CVE-2021-32493.patch

@@ -0,0 +1,20 @@
+--- a/libdjvu/GBitmap.cpp	
++++ a/libdjvu/GBitmap.cpp	
+@@ -69,6 +69,7 @@ 
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <climits>
+ 
+ // - Author: Leon Bottou, 05/1997
+ 
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+   // initialize pixel array
+   if (nrows==0 || ncolumns==0)
+     G_THROW( ERR_MSG("GBitmap.not_init") );
++  if (ncolumns > USHRT_MAX - border)
++    G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+   bytes_per_row = ncolumns + border;
+   if (runs==0)
+     G_THROW( ERR_MSG("GBitmap.null_arg") );
+

djvulibre.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Wed May 12 10:09:21 UTC 2021 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file
+  + djvulibre-CVE-2021-32490.patch
+  fix CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file
+  + djvulibre-CVE-2021-32491.patch
+  fix CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
+  + djvulibre-CVE-2021-32492.patch
+  fix CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
+  + djvulibre-CVE-2021-32493.patch
+
 -------------------------------------------------------------------
 Mon Dec 21 16:26:45 UTC 2020 - Atri Bhattacharya <badshah400@gmail.com>
 

djvulibre.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package djvulibre
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,6 +27,14 @@ License:        GPL-2.0-or-later
 Group:          Productivity/Graphics/Other
 URL:            http://djvu.sourceforge.net
 Source:         http://downloads.sourceforge.net/djvu/%{name}-%{version}.tar.gz
+# CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file
+Patch0:         djvulibre-CVE-2021-32490.patch
+# CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file
+Patch1:         djvulibre-CVE-2021-32491.patch
+# CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file
+Patch2:         djvulibre-CVE-2021-32492.patch
+# CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file
+Patch3:         djvulibre-CVE-2021-32493.patch
 BuildRequires:  fdupes
 BuildRequires:  gcc-c++
 BuildRequires:  hicolor-icon-theme
@@ -79,6 +87,10 @@ This package contains the documentation.
 
 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 # configure script missing; generate using autogen.sh