diff --git a/0001-bits-change-bit_copy_chain.patch b/0001-bits-change-bit_copy_chain.patch new file mode 100644 index 0000000..f327585 --- /dev/null +++ b/0001-bits-change-bit_copy_chain.patch @@ -0,0 +1,81 @@ +From bb97cadde05277f089b730a7aff4cffa4c9f8afa Mon Sep 17 00:00:00 2001 +From: Reini Urban +Date: Mon, 15 Aug 2022 10:23:08 +0200 +Subject: [PATCH] bits: change bit_copy_chain + +copy only the rest of the 2nd dat, not the whole. +and don't reset it to 0, keep its position. +--- + src/bits.c | 14 +++++++------- + src/encode.c | 5 ++++- + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/bits.c b/src/bits.c +index a7a8ca98..4c9ca878 100644 +--- a/src/bits.c ++++ b/src/bits.c +@@ -3353,25 +3353,25 @@ bool does_cross_unicode_datversion (Bit_Chain *restrict dat) + return false; + } + +-/* Copy the whole content of tmp_data to dat, and reset tmp_dat. ++/* Copy the rest content of tmp_data to dat. + WARN: This might change dat->chain */ + void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat) + { + unsigned long i; +- unsigned long dat_bits = bit_position (tmp_dat); +- unsigned long size = tmp_dat->byte; ++ unsigned long size = tmp_dat->size - tmp_dat->byte; + while (dat->byte + size > dat->size) + bit_chain_alloc (dat); + // check if dat is byte aligned, tmp_dat always is. we can use memcpy then. +- if (!dat->bit) ++ if (!dat->bit && !tmp_dat->bit) + { + assert(!tmp_dat->bit); +- memcpy (&dat->chain[dat->byte], &tmp_dat->chain[0], size); ++ memcpy (&dat->chain[dat->byte], &tmp_dat->chain[tmp_dat->byte], size); + dat->byte += size; + } + else + { +- bit_set_position (tmp_dat, 0); ++ unsigned long dat_bits = bit_position (tmp_dat); ++ //bit_set_position (tmp_dat, 0); + for (i = 0; i < size; i++) + { + bit_write_RC (dat, bit_read_RC (tmp_dat)); +@@ -3380,6 +3380,6 @@ void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat) + { + bit_write_B (dat, bit_read_B (tmp_dat)); + } ++ bit_set_position (tmp_dat, dat_bits); + } +- bit_set_position (tmp_dat, 0); + } +diff --git a/src/encode.c b/src/encode.c +index d533e1fa..d4a63e16 100644 +--- a/src/encode.c ++++ b/src/encode.c +@@ -846,13 +846,16 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat, + { + unsigned long datpos = bit_position (dat); + unsigned long hdlpos = bit_position (hdl_dat); ++ unsigned long hdlsize = (hdl_dat->size * 8) - hdlpos; + unsigned long objpos = obj->address * 8; + #if 0 + unsigned char* oldchain = dat->chain; + #endif +- LOG_TRACE ("Flush handle stream of size %lu (@%lu.%u) to @%lu.%lu\n", hdlpos, ++ LOG_TRACE ("Flush handle stream of %lu bits (@%lu.%u) to @%lu.%lu\n", hdlsize, + hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8, + (datpos - objpos) % 8); ++ if (hdlpos > 10000U) ++ LOG_ERROR("Possible hdl_data overflow") + // This might change dat->chain + bit_copy_chain (dat, hdl_dat); + } +-- +2.37.1 + diff --git a/0001-fix-obj_flush_hdlstream-GH-497.patch b/0001-fix-obj_flush_hdlstream-GH-497.patch new file mode 100644 index 0000000..d49d4a7 --- /dev/null +++ b/0001-fix-obj_flush_hdlstream-GH-497.patch @@ -0,0 +1,45 @@ +From 2f36577e6ef6a32c81be48a6faac303f76f6f943 Mon Sep 17 00:00:00 2001 +From: Reini Urban +Date: Mon, 15 Aug 2022 11:06:14 +0200 +Subject: [PATCH] fix obj_flush_hdlstream GH #497 + +don't free non-temp hdl_dat chain, when it's the dat->chain really. +(on old DWG's) +--- + src/encode.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/encode.c b/src/encode.c +index d4a63e16..1b82dd2a 100644 +--- a/src/encode.c ++++ b/src/encode.c +@@ -823,9 +823,11 @@ const unsigned char unknown_section[53] + bit_chain_init_dat (&dat2, 12, dat); \ + hdl_dat = &dat2; \ + ENCODE_COMMON_HANDLES \ ++ bit_set_position (hdl_dat, 0); \ + obj_flush_hdlstream (obj, dat, hdl_dat); /* common */ \ + obj_flush_hdlstream (obj, dat, &dat1); /* special accumulated */ \ +- bit_chain_free (&dat1); \ ++ if (dat1.chain != dat->chain) \ ++ bit_chain_free (&dat1); \ + bit_chain_free (&dat2); \ + *hdl_dat = *dat; \ + hdl_dat = dat; \ +@@ -855,7 +857,12 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat, + hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8, + (datpos - objpos) % 8); + if (hdlpos > 10000U) +- LOG_ERROR("Possible hdl_data overflow") ++ LOG_WARN("Possible hdl_data overflow") ++ if (dat->chain == hdl_dat->chain) ++ { ++ LOG_WARN("Ignore identical hdl chains") ++ return; ++ } + // This might change dat->chain + bit_copy_chain (dat, hdl_dat); + } +-- +2.37.1 + diff --git a/libredwg.changes b/libredwg.changes index dc58c5b..c658f20 100644 --- a/libredwg.changes +++ b/libredwg.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Aug 19 15:13:22 UTC 2022 - Jan Engelhardt + +- Add 0001-bits-change-bit_copy_chain.patch, + 0001-fix-obj_flush_hdlstream-GH-497.patch + [CVE-2022-35164] [boo#1202553] + ------------------------------------------------------------------- Sun Feb 13 23:43:55 UTC 2022 - Jan Engelhardt diff --git a/libredwg.spec b/libredwg.spec index a4b7bcf..eb220cb 100644 --- a/libredwg.spec +++ b/libredwg.spec @@ -29,6 +29,8 @@ Source: https://ftp.gnu.org/pub/gnu/libredwg/%name-%version.tar.gz Source2: https://ftp.gnu.org/pub/gnu/libredwg/%name-%version.tar.gz.sig Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%name.keyring Source4: %name-rpmlintrc +Patch1: 0001-bits-change-bit_copy_chain.patch +Patch2: 0001-fix-obj_flush_hdlstream-GH-497.patch BuildRequires: pkg-config %description