diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch new file mode 100644 index 00000000000..89ff3759451 --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch @@ -0,0 +1,72 @@ +commit 970fb11a296b5bbdc5e8425851253d2c5913c45e +Author: Leon Bottou +Date: Tue Mar 26 20:36:31 2019 -0400 + + Fix bug#296 + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index a6a39e0..0a0fac6 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -299,42 +299,44 @@ DjVmDir::decode(const GP &gstr) + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); +- if (strings[strings.size()-1] != 0) +- { +- int strings_size=strings.size(); +- strings.resize(strings_size+1); +- strings[strings_size] = 0; +- } ++ int strings_size=strings.size(); ++ strings.resize(strings_size+3); ++ memset((char*) strings+strings_size, 0, 4); + +- // Copy names into the files ++ // Copy names into the files + const char * ptr=strings; + for(pos=files_list;pos;++pos) + { + GP file=files_list[pos]; +- ++ if (ptr >= (const char*)strings + strings_size) ++ G_THROW( "DjVu document is corrupted (DjVmDir)" ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) + { +- file->name=ptr; +- ptr+=file->name.length()+1; +- } else ++ file->name=ptr; ++ ptr+=file->name.length()+1; ++ } ++ else + { + file->name=file->id; + } + if (file->flags & File::HAS_TITLE) + { +- file->title=ptr; +- ptr+=file->title.length()+1; +- } else +- file->title=file->id; +- /* msr debug: multipage file, file->title is null. ++ file->title=ptr; ++ ptr+=file->title.length()+1; ++ } ++ else ++ { ++ file->title=file->id; ++ } ++ /* msr debug: multipage file, file->title is null. + DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << + file->offset << ", " << file->size << ", " << + file->is_page() << "\n"); */ + } + +- // Check that there is only one file with SHARED_ANNO flag on ++ // Check that there is only one file with SHARED_ANNO flag on + int shared_anno_cnt=0; + for(pos=files_list;pos;++pos) + { diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15143.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15143.patch new file mode 100644 index 00000000000..ef1905338fb --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2019-15143.patch @@ -0,0 +1,39 @@ +commit b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f +Author: Leon Bottou +Date: Tue Mar 26 20:45:46 2019 -0400 + + fix for bug #297 + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index 0a0fac6..5a49015 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -309,7 +309,7 @@ DjVmDir::decode(const GP &gstr) + { + GP file=files_list[pos]; + if (ptr >= (const char*)strings + strings_size) +- G_THROW( "DjVu document is corrupted (DjVmDir)" ); ++ G_THROW( ByteStream::EndOfFile ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) +diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp +index 0e487f0..c2fdbe4 100644 +--- a/libdjvu/GBitmap.cpp ++++ b/libdjvu/GBitmap.cpp +@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) + int c = 0; + while (n >= 0) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + int x = h; + if (x >= (int)RUNOVERFLOWVALUE) + { +- bs.read(&h, 1); ++ if (bs.read(&h, 1) <= 0) ++ G_THROW( ByteStream::EndOfFile ); + x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); + } + if (c+x > ncolumns) diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15144.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15144.patch new file mode 100644 index 00000000000..6094be88338 --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2019-15144.patch @@ -0,0 +1,111 @@ +commit e15d51510048927f172f1bf1f27ede65907d940d +Author: Leon Bottou +Date: Mon Apr 8 22:25:55 2019 -0400 + + bug 299 fixed + +diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h +index 96b067c..0140211 100644 +--- a/libdjvu/GContainer.h ++++ b/libdjvu/GContainer.h +@@ -550,52 +550,61 @@ public: + template void + GArrayTemplate::sort(int lo, int hi) + { +- if (hi <= lo) +- return; +- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) +- data[j+1] = data[j]; +- data[j+1] = tmp; ++ for (int i=lo+1; i<=hi; i++) ++ { ++ int j = i; ++ TYPE tmp = data[i]; ++ while ((--j>=lo) && !(data[j]<=tmp)) ++ data[j+1] = data[j]; ++ data[j+1] = tmp; ++ } ++ return; + } +- return; +- } +- // -- determine suitable quick-sort pivot +- TYPE tmp = data[lo]; +- TYPE pivot = data[(lo+hi)/2]; +- if (pivot <= tmp) +- { tmp = pivot; pivot=data[lo]; } +- if (data[hi] <= tmp) +- { pivot = tmp; } +- else if (data[hi] <= pivot) +- { pivot = data[hi]; } +- // -- partition set +- int h = hi; +- int l = lo; +- while (l < h) +- { +- while (! (pivot <= data[l])) l++; +- while (! (data[h] <= pivot)) h--; +- if (l < h) ++ // -- determine median-of-three pivot ++ TYPE tmp = data[lo]; ++ TYPE pivot = data[(lo+hi)/2]; ++ if (pivot <= tmp) ++ { tmp = pivot; pivot=data[lo]; } ++ if (data[hi] <= tmp) ++ { pivot = tmp; } ++ else if (data[hi] <= pivot) ++ { pivot = data[hi]; } ++ // -- partition set ++ int h = hi; ++ int l = lo; ++ while (l < h) + { +- tmp = data[l]; +- data[l] = data[h]; +- data[h] = tmp; +- l = l+1; +- h = h-1; ++ while (! (pivot <= data[l])) l++; ++ while (! (data[h] <= pivot)) h--; ++ if (l < h) ++ { ++ tmp = data[l]; ++ data[l] = data[h]; ++ data[h] = tmp; ++ l = l+1; ++ h = h-1; ++ } ++ } ++ // -- recurse, small partition first ++ // tail-recursion elimination ++ if (h - lo <= hi - l) { ++ sort(lo,h); ++ lo = l; // sort(l,hi) ++ } else { ++ sort(l,hi); ++ hi = h; // sort(lo,h) + } + } +- // -- recursively restart +- sort(lo, h); +- sort(l, hi); + } + + template inline TYPE& diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15145.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15145.patch new file mode 100644 index 00000000000..01108f9ee73 --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2019-15145.patch @@ -0,0 +1,28 @@ +commit 9658b01431cd7ff6344d7787f855179e73fe81a7 +Author: Leon Bottou +Date: Mon Apr 8 22:55:38 2019 -0400 + + fix bug #298 + +diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h +index e8e0c9b..ca89a19 100644 +--- a/libdjvu/GBitmap.h ++++ b/libdjvu/GBitmap.h +@@ -566,7 +566,7 @@ GBitmap::operator[](int row) + { + if (!bytes) + uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); +@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const + { + if (!bytes) + ((GBitmap*)this)->uncompress(); +- if (row<0 || row>=nrows) { ++ if (row<0 || row>=nrows || !bytes) { + #ifndef NDEBUG + if (zerosize < bytes_per_row + border) + G_THROW( ERR_MSG("GBitmap.zero_small") ); diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-18804.patch b/pkgs/applications/misc/djvulibre/CVE-2019-18804.patch new file mode 100644 index 00000000000..132fed79488 --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2019-18804.patch @@ -0,0 +1,32 @@ +commit c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 +Author: Leon Bottou +Date: Thu Oct 17 22:20:31 2019 -0400 + + Fixed bug 309 + +diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp +index 00752a0..f81eaeb 100644 +--- a/libdjvu/IW44EncodeCodec.cpp ++++ b/libdjvu/IW44EncodeCodec.cpp +@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) + int y = 0; + int s = scale*rowsize; + int s3 = s+s+s; +- h = ((h-1)/scale)+1; ++ h = (h>0) ? ((h-1)/scale)+1 : 0; + y += 1; + p += s; + while (y-3 < h) +diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp +index 6d0df3b..7109952 100644 +--- a/tools/ddjvu.cpp ++++ b/tools/ddjvu.cpp +@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) + prect.h = (ih * 100) / dpi; + } + /* Process aspect ratio */ +- if (flag_aspect <= 0) ++ if (flag_aspect <= 0 && iw>0 && ih>0) + { + double dw = (double)iw / prect.w; + double dh = (double)ih / prect.h; diff --git a/pkgs/applications/misc/djvulibre/default.nix b/pkgs/applications/misc/djvulibre/default.nix index 182ab51dbc2..afb7b6cf139 100644 --- a/pkgs/applications/misc/djvulibre/default.nix +++ b/pkgs/applications/misc/djvulibre/default.nix @@ -24,6 +24,17 @@ stdenv.mkDerivation rec { libiconv ]; + patches = [ + ./CVE-2019-18804.patch + # This one is needed to make the following + # two CVE patches apply cleanly + ./fix_hongfuzz_crash.patch + ./CVE-2019-15142.patch + ./CVE-2019-15143.patch + ./CVE-2019-15144.patch + ./CVE-2019-15145.patch + ]; + meta = with stdenv.lib; { description = "The big set of CLI tools to make/modify/optimize/show/export DJVU files"; homepage = "http://djvu.sourceforge.net"; diff --git a/pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch b/pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch new file mode 100644 index 00000000000..609b41cd9db --- /dev/null +++ b/pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch @@ -0,0 +1,51 @@ +commit 89d71b01d606e57ecec2c2930c145bb20ba5bbe3 +Author: Leon Bottou +Date: Fri Jul 13 08:46:22 2018 -0400 + + fix hongfuzz crash. + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index d322323..a6a39e0 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -299,7 +299,13 @@ DjVmDir::decode(const GP &gstr) + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); +- ++ if (strings[strings.size()-1] != 0) ++ { ++ int strings_size=strings.size(); ++ strings.resize(strings_size+1); ++ strings[strings_size] = 0; ++ } ++ + // Copy names into the files + const char * ptr=strings; + for(pos=files_list;pos;++pos) +diff --git a/libdjvu/miniexp.cpp b/libdjvu/miniexp.cpp +index 6a5cd90..828addc 100644 +--- a/libdjvu/miniexp.cpp ++++ b/libdjvu/miniexp.cpp +@@ -1065,7 +1065,7 @@ print_c_string(const char *s, char *d, int flags, size_t len) + c = (unsigned char)(*s++); + if (char_quoted(c, flags)) + { +- char buffer[10]; ++ char buffer[16]; /* 10+1 */ + static const char *tr1 = "\"\\tnrbf"; + static const char *tr2 = "\"\\\t\n\r\b\f"; + buffer[0] = buffer[1] = 0; +diff --git a/tools/csepdjvu.cpp b/tools/csepdjvu.cpp +index 7ed13ad..fab9472 100644 +--- a/tools/csepdjvu.cpp ++++ b/tools/csepdjvu.cpp +@@ -1834,7 +1834,7 @@ main(int argc, const char **argv) + ByteStream::create(GURL::Filename::UTF8(arg),"rb"); + BufferByteStream ibs(*fbs); + do { +- char pagename[16]; ++ char pagename[20]; + sprintf(pagename, "p%04d.djvu", ++pageno); + if (opts.verbose > 1) + DjVuPrintErrorUTF8("%s","--------------------\n");