Petr Gajdos
cd84a81a7d
- added patches fix CVE-2021-32490 [bsc#1185895], Out of bounds write in function DJVU:filter_bv() via crafted djvu file + djvulibre-CVE-2021-32490.patch fix CVE-2021-32491 [bsc#1185900], Integer overflow in function render() in tools/ddjvu via crafted djvu file + djvulibre-CVE-2021-32491.patch fix CVE-2021-32492 [bsc#1185904], Out of bounds read in function DJVU:DataPool:has_data() via crafted djvu file + djvulibre-CVE-2021-32492.patch fix CVE-2021-32493 [bsc#1185905], Heap buffer overflow in function DJVU:GBitmap:decode() via crafted djvu file + djvulibre-CVE-2021-32493.patch OBS-URL: https://build.opensuse.org/package/show/graphics/djvulibre?expand=0&rev=38
24 lines
850 B
Diff
24 lines
850 B
Diff
Index: djvulibre-3.5.28/tools/ddjvu.cpp
|
|
===================================================================
|
|
--- djvulibre-3.5.28.orig/tools/ddjvu.cpp 2020-11-20 17:57:32.000000000 +0100
|
|
+++ djvulibre-3.5.28/tools/ddjvu.cpp 2021-05-11 15:14:54.038421444 +0200
|
|
@@ -70,6 +70,7 @@
|
|
#include <locale.h>
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
+#include <stdint.h>
|
|
|
|
#ifdef UNIX
|
|
# include <sys/time.h>
|
|
@@ -394,7 +395,9 @@ render(ddjvu_page_t *page, int pageno)
|
|
rowsize = rrect.w;
|
|
else
|
|
rowsize = rrect.w * 3;
|
|
- if (! (image = (char*)malloc(rowsize * rrect.h)))
|
|
+ if ((size_t) rowsize > SIZE_MAX / rrect.h)
|
|
+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
|
|
+ if (! (image = (char*)malloc((size_t) rowsize * rrect.h)))
|
|
die(i18n("Cannot allocate image buffer for page %d"), pageno);
|
|
|
|
/* Render */
|