rpm/libredwg
SHA256
1
0
Fork 0
forked from pool/libredwg
Code Pull Requests Activity

- Add 0001-bits-change-bit_copy_chain.patch,

Browse Source 
0001-fix-obj_flush_hdlstream-GH-497.patch
  [CVE-2022-35164] [boo#1202553]

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libredwg?expand=0&rev=35
This commit is contained in:
Jan Engelhardt 2022-08-19 15:18:12 +00:00 committed by Git OBS Bridge
parent 896d6edab4
commit 998b8e2de5
4 changed files with 135 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
0001-bits-change-bit_copy_chain.patch Normal file
View File

@ -0,0 +1,81 @@
From bb97cadde05277f089b730a7aff4cffa4c9f8afa Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@cpan.org>
Date: Mon, 15 Aug 2022 10:23:08 +0200
Subject: [PATCH] bits: change bit_copy_chain
copy only the rest of the 2nd dat, not the whole.
and don't reset it to 0, keep its position.
---
src/bits.c | 14 +++++++-------
src/encode.c | 5 ++++-
2 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/src/bits.c b/src/bits.c
index a7a8ca98..4c9ca878 100644
--- a/src/bits.c
+++ b/src/bits.c
@@ -3353,25 +3353,25 @@ bool does_cross_unicode_datversion (Bit_Chain *restrict dat)
return false;
}
-/* Copy the whole content of tmp_data to dat, and reset tmp_dat.
+/* Copy the rest content of tmp_data to dat.
WARN: This might change dat->chain */
void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat)
{
unsigned long i;
- unsigned long dat_bits = bit_position (tmp_dat);
- unsigned long size = tmp_dat->byte;
+ unsigned long size = tmp_dat->size - tmp_dat->byte;
while (dat->byte + size > dat->size)
bit_chain_alloc (dat);
// check if dat is byte aligned, tmp_dat always is. we can use memcpy then.
- if (!dat->bit)
+ if (!dat->bit && !tmp_dat->bit)
{
assert(!tmp_dat->bit);
- memcpy (&dat->chain[dat->byte], &tmp_dat->chain[0], size);
+ memcpy (&dat->chain[dat->byte], &tmp_dat->chain[tmp_dat->byte], size);
dat->byte += size;
}
else
{
- bit_set_position (tmp_dat, 0);
+ unsigned long dat_bits = bit_position (tmp_dat);
+ //bit_set_position (tmp_dat, 0);
for (i = 0; i < size; i++)
{
bit_write_RC (dat, bit_read_RC (tmp_dat));
@@ -3380,6 +3380,6 @@ void bit_copy_chain (Bit_Chain *restrict dat, Bit_Chain *restrict tmp_dat)
{
bit_write_B (dat, bit_read_B (tmp_dat));
}
+ bit_set_position (tmp_dat, dat_bits);
}
- bit_set_position (tmp_dat, 0);
}
diff --git a/src/encode.c b/src/encode.c
index d533e1fa..d4a63e16 100644
--- a/src/encode.c
+++ b/src/encode.c
@@ -846,13 +846,16 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat,
{
unsigned long datpos = bit_position (dat);
unsigned long hdlpos = bit_position (hdl_dat);
+ unsigned long hdlsize = (hdl_dat->size * 8) - hdlpos;
unsigned long objpos = obj->address * 8;
#if 0
unsigned char* oldchain = dat->chain;
#endif
- LOG_TRACE ("Flush handle stream of size %lu (@%lu.%u) to @%lu.%lu\n", hdlpos,
+ LOG_TRACE ("Flush handle stream of %lu bits (@%lu.%u) to @%lu.%lu\n", hdlsize,
hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8,
(datpos - objpos) % 8);
+ if (hdlpos > 10000U)
+ LOG_ERROR("Possible hdl_data overflow")
// This might change dat->chain
bit_copy_chain (dat, hdl_dat);
}
--
2.37.1

45
0001-fix-obj_flush_hdlstream-GH-497.patch Normal file
View File

@ -0,0 +1,45 @@
From 2f36577e6ef6a32c81be48a6faac303f76f6f943 Mon Sep 17 00:00:00 2001
From: Reini Urban <rurban@cpan.org>
Date: Mon, 15 Aug 2022 11:06:14 +0200
Subject: [PATCH] fix obj_flush_hdlstream GH #497
don't free non-temp hdl_dat chain, when it's the dat->chain really.
(on old DWG's)
---
src/encode.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/encode.c b/src/encode.c
index d4a63e16..1b82dd2a 100644
--- a/src/encode.c
+++ b/src/encode.c
@@ -823,9 +823,11 @@ const unsigned char unknown_section[53]
bit_chain_init_dat (&dat2, 12, dat); \
hdl_dat = &dat2; \
ENCODE_COMMON_HANDLES \
+ bit_set_position (hdl_dat, 0); \
obj_flush_hdlstream (obj, dat, hdl_dat); /* common */ \
obj_flush_hdlstream (obj, dat, &dat1); /* special accumulated */ \
- bit_chain_free (&dat1); \
+ if (dat1.chain != dat->chain) \
+ bit_chain_free (&dat1); \
bit_chain_free (&dat2); \
*hdl_dat = *dat; \
hdl_dat = dat; \
@@ -855,7 +857,12 @@ obj_flush_hdlstream (Dwg_Object *restrict obj, Bit_Chain *restrict dat,
hdl_dat->byte, hdl_dat->bit, (datpos - objpos) / 8,
(datpos - objpos) % 8);
if (hdlpos > 10000U)
- LOG_ERROR("Possible hdl_data overflow")
+ LOG_WARN("Possible hdl_data overflow")
+ if (dat->chain == hdl_dat->chain)
+ {
+ LOG_WARN("Ignore identical hdl chains")
+ return;
+ }
// This might change dat->chain
bit_copy_chain (dat, hdl_dat);
}
--
2.37.1

7
libredwg.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Aug 19 15:13:22 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Add 0001-bits-change-bit_copy_chain.patch,
0001-fix-obj_flush_hdlstream-GH-497.patch
[CVE-2022-35164] [boo#1202553]
-------------------------------------------------------------------
Sun Feb 13 23:43:55 UTC 2022 - Jan Engelhardt <jengelh@inai.de>

2
libredwg.spec
View File

@ -29,6 +29,8 @@ Source: https://ftp.gnu.org/pub/gnu/libredwg/%name-%version.tar.gz
Source2: https://ftp.gnu.org/pub/gnu/libredwg/%name-%version.tar.gz.sig
Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%name.keyring
Source4: %name-rpmlintrc
Patch1: 0001-bits-change-bit_copy_chain.patch
Patch2: 0001-fix-obj_flush_hdlstream-GH-497.patch
BuildRequires: pkg-config
%description