diff --git a/pkgs/applications/misc/djvulibre/CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch b/pkgs/applications/misc/djvulibre/CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch new file mode 100644 index 000000000000..e305c5618d19 --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch @@ -0,0 +1,105 @@ +From cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 Mon Sep 17 00:00:00 2001 +From: Leon Bottou +Date: Tue, 11 May 2021 14:44:09 -0400 +Subject: [PATCH] Reviewed Fedora patches and adopted some of them (or variants + thereof) + + - Patch0: djvulibre-3.5.22-cdefs.patch (forward ported) +Does not make imuch sense. GSmartPointer.h already includes "stddef.h" + - Patch6: djvulibre-3.5.27-export-file.patch (forward ported) +Incorrect: inkscape command is --export-png, not --export-filename. + - Patch8: djvulibre-3.5.27-check-image-size.patch (forward ported) +Correct: adopted a variant of this + - Patch9: djvulibre-3.5.27-integer-overflow.patch (forward ported) +Correct: adopted a variant of this + - Patch10: djvulibre-3.5.27-check-input-pool.patch (forward ported) +Adopted: input validation never hurts + - Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported) +Dubious: Instead I changed djvufile to prevent a file from including itself +which is the only way I can imagine to create an file creation loop. + - Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported) +Adopted: but without including limits.h +--- + libdjvu/DataPool.cpp | 3 ++- + libdjvu/DjVuFile.cpp | 2 ++ + libdjvu/GBitmap.cpp | 2 ++ + libdjvu/IW44Image.cpp | 4 ++++ + tools/ddjvu.cpp | 7 +++++-- + 5 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp +index 5fcbedf..b58fc45 100644 +--- a/libdjvu/DataPool.cpp ++++ b/libdjvu/DataPool.cpp +@@ -790,7 +790,8 @@ DataPool::create(const GP & pool, int start, int length) + { + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n"); + DEBUG_MAKE_INDENT(3); +- ++ if (!pool) ++ G_THROW( ERR_MSG("DataPool.zero_DataPool") ); + DataPool *xpool=new DataPool(); + GP retval=xpool; + xpool->init(); +diff --git a/libdjvu/DjVuFile.cpp b/libdjvu/DjVuFile.cpp +index 143346b..2587491 100644 +--- a/libdjvu/DjVuFile.cpp ++++ b/libdjvu/DjVuFile.cpp +@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int file_num) + GURL incl_url=pcaster->id_to_url(this, incl_str); + if (incl_url.is_empty()) // Fallback. Should never be used. + incl_url=GURL::UTF8(incl_str,url.base()); ++ if (incl_url == url) // Infinite loop avoidance ++ G_THROW( ERR_MSG("DjVuFile.malformed") ); + + // Now see if there is already a file with this *name* created + { +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index c2fdbe4..8ad64b2 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs) + // initialize pixel array + if (nrows==0 || ncolumns==0) + G_THROW( ERR_MSG("GBitmap.not_init") ); ++ if (ncolumns + border != (unsigned short)(ncolumns+border)) ++ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)"); + bytes_per_row = ncolumns + border; + if (runs==0) + G_THROW( ERR_MSG("GBitmap.null_arg") ); +diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp +index e8d4b44..4a1797e 100644 +--- a/libdjvu/IW44Image.cpp ++++ b/libdjvu/IW44Image.cpp +@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast) + // Allocate reconstruction buffer + short *data16; + size_t sz = bw * bh; ++ if (sz == 0) ++ G_THROW("IW44Image: image size is zero (corrupted file?)"); + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); + GPBuffer gdata16(data16,sz); ++ if (data16 == 0) ++ G_THROW("IW44Image: unable to allocate image buffer"); + // Copy coefficients + int i; + short *p = data16; +diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp +index 7109952..e7b489b 100644 +--- a/tools/ddjvu.cpp ++++ b/tools/ddjvu.cpp +@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno) + } else if (style == DDJVU_FORMAT_GREY8) + rowsize = rrect.w; + else +- rowsize = rrect.w * 3; +- if (! (image = (char*)malloc(rowsize * rrect.h))) ++ rowsize = rrect.w * 3; ++ size_t bufsize = (size_t)rowsize * rrect.h; ++ if (bufsize / rowsize != rrect.h) ++ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno); ++ if (! (image = (char*)malloc(bufsize))) + die(i18n("Cannot allocate image buffer for page %d"), pageno); + + /* Render */ \ No newline at end of file diff --git a/pkgs/applications/misc/djvulibre/default.nix b/pkgs/applications/misc/djvulibre/default.nix index ad85c9c79d1d..a4a26906e666 100644 --- a/pkgs/applications/misc/djvulibre/default.nix +++ b/pkgs/applications/misc/djvulibre/default.nix @@ -32,6 +32,10 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + patches = [ + ./CVE-2021-3500+CVE-2021-32490+CVE-2021-32491+CVE-2021-32492+CVE-2021-32493.patch + ]; + meta = with lib; { description = "The big set of CLI tools to make/modify/optimize/show/export DJVU files"; homepage = "https://djvu.sourceforge.net";