Petr Gajdos
33ad9176ce
- added patches CVE-2019-15142 [bsc#1146702] + djvulibre-CVE-2019-15142.patch CVE-2019-15143 [bsc#1146569] + djvulibre-CVE-2019-15143.patch CVE-2019-15144 [bsc#1146571] + djvulibre-CVE-2019-15144.patch CVE-2019-15145 [bsc#1146572] + djvulibre-CVE-2019-15145.patch do not segfault when libtiff encounters corrupted TIFF (upstream issue #295) + djvulibre-invalid-tiff.patch OBS-URL: https://build.opensuse.org/package/show/graphics/djvulibre?expand=0&rev=28
88 lines
3.4 KiB
Diff
88 lines
3.4 KiB
Diff
Index: djvulibre-3.5.27/libdjvu/DjVmDir.cpp
|
|
===================================================================
|
|
--- djvulibre-3.5.27.orig/libdjvu/DjVmDir.cpp 2014-07-08 23:15:07.000000000 +0200
|
|
+++ djvulibre-3.5.27/libdjvu/DjVmDir.cpp 2019-09-02 13:46:28.076374501 +0200
|
|
@@ -300,36 +300,44 @@ DjVmDir::decode(const GP<ByteStream> &gs
|
|
memcpy((char*) strings+strings_size, buffer, length);
|
|
}
|
|
DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
|
|
-
|
|
- // Copy names into the files
|
|
+ int strings_size=strings.size();
|
|
+ strings.resize(strings_size+3);
|
|
+ memset((char*) strings+strings_size, 0, 4);
|
|
+
|
|
+ // Copy names into the files
|
|
const char * ptr=strings;
|
|
for(pos=files_list;pos;++pos)
|
|
{
|
|
GP<File> file=files_list[pos];
|
|
-
|
|
+ if (ptr >= (const char*)strings + strings_size)
|
|
+ G_THROW( "DjVu document is corrupted (DjVmDir)" );
|
|
file->id=ptr;
|
|
ptr+=file->id.length()+1;
|
|
if (file->flags & File::HAS_NAME)
|
|
{
|
|
- file->name=ptr;
|
|
- ptr+=file->name.length()+1;
|
|
- } else
|
|
+ file->name=ptr;
|
|
+ ptr+=file->name.length()+1;
|
|
+ }
|
|
+ else
|
|
{
|
|
file->name=file->id;
|
|
}
|
|
if (file->flags & File::HAS_TITLE)
|
|
{
|
|
- file->title=ptr;
|
|
- ptr+=file->title.length()+1;
|
|
- } else
|
|
- file->title=file->id;
|
|
- /* msr debug: multipage file, file->title is null.
|
|
+ file->title=ptr;
|
|
+ ptr+=file->title.length()+1;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ file->title=file->id;
|
|
+ }
|
|
+ /* msr debug: multipage file, file->title is null.
|
|
DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
|
|
file->offset << ", " << file->size << ", " <<
|
|
file->is_page() << "\n"); */
|
|
}
|
|
|
|
- // Check that there is only one file with SHARED_ANNO flag on
|
|
+ // Check that there is only one file with SHARED_ANNO flag on
|
|
int shared_anno_cnt=0;
|
|
for(pos=files_list;pos;++pos)
|
|
{
|
|
Index: djvulibre-3.5.27/libdjvu/miniexp.cpp
|
|
===================================================================
|
|
--- djvulibre-3.5.27.orig/libdjvu/miniexp.cpp 2015-02-11 05:35:37.000000000 +0100
|
|
+++ djvulibre-3.5.27/libdjvu/miniexp.cpp 2019-09-02 13:46:28.072374476 +0200
|
|
@@ -1028,7 +1028,7 @@ print_c_string(const char *s, char *d, i
|
|
{
|
|
if (char_quoted(c, flags))
|
|
{
|
|
- char buffer[10];
|
|
+ char buffer[16]; /* 10+1 */
|
|
static const char *tr1 = "\"\\tnrbf";
|
|
static const char *tr2 = "\"\\\t\n\r\b\f";
|
|
buffer[0] = buffer[1] = 0;
|
|
Index: djvulibre-3.5.27/tools/csepdjvu.cpp
|
|
===================================================================
|
|
--- djvulibre-3.5.27.orig/tools/csepdjvu.cpp 2014-07-24 23:12:05.000000000 +0200
|
|
+++ djvulibre-3.5.27/tools/csepdjvu.cpp 2019-09-02 13:46:28.072374476 +0200
|
|
@@ -1814,7 +1814,7 @@ main(int argc, const char **argv)
|
|
ByteStream::create(GURL::Filename::UTF8(arg),"rb");
|
|
BufferByteStream ibs(*fbs);
|
|
do {
|
|
- char pagename[16];
|
|
+ char pagename[20];
|
|
sprintf(pagename, "p%04d.djvu", ++pageno);
|
|
if (opts.verbose > 1)
|
|
DjVuPrintErrorUTF8("%s","--------------------\n");
|