From edded3cda7164a660debe57c5952adc0acf908f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Thu, 29 Apr 2021 16:20:21 +0200 Subject: [PATCH] djvulibre: 3.5.27 -> 3.5.28 --- .../misc/djvulibre/CVE-2019-15142.patch | 72 ------------ .../misc/djvulibre/CVE-2019-15143.patch | 39 ------ .../misc/djvulibre/CVE-2019-15144.patch | 111 ------------------ .../misc/djvulibre/CVE-2019-15145.patch | 28 ----- .../misc/djvulibre/CVE-2019-18804.patch | 32 ----- pkgs/applications/misc/djvulibre/default.nix | 17 +-- .../misc/djvulibre/fix_hongfuzz_crash.patch | 51 -------- 7 files changed, 3 insertions(+), 347 deletions(-) delete mode 100644 pkgs/applications/misc/djvulibre/CVE-2019-15142.patch delete mode 100644 pkgs/applications/misc/djvulibre/CVE-2019-15143.patch delete mode 100644 pkgs/applications/misc/djvulibre/CVE-2019-15144.patch delete mode 100644 pkgs/applications/misc/djvulibre/CVE-2019-15145.patch delete mode 100644 pkgs/applications/misc/djvulibre/CVE-2019-18804.patch delete mode 100644 pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch deleted file mode 100644 index 89ff3759451..00000000000 --- a/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch +++ /dev/null @@ -1,72 +0,0 @@ -commit 970fb11a296b5bbdc5e8425851253d2c5913c45e -Author: Leon Bottou -Date: Tue Mar 26 20:36:31 2019 -0400 - - Fix bug#296 - -diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp -index a6a39e0..0a0fac6 100644 ---- a/libdjvu/DjVmDir.cpp -+++ b/libdjvu/DjVmDir.cpp -@@ -299,42 +299,44 @@ DjVmDir::decode(const GP &gstr) - memcpy((char*) strings+strings_size, buffer, length); - } - DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); -- if (strings[strings.size()-1] != 0) -- { -- int strings_size=strings.size(); -- strings.resize(strings_size+1); -- strings[strings_size] = 0; -- } -+ int strings_size=strings.size(); -+ strings.resize(strings_size+3); -+ memset((char*) strings+strings_size, 0, 4); - -- // Copy names into the files -+ // Copy names into the files - const char * ptr=strings; - for(pos=files_list;pos;++pos) - { - GP file=files_list[pos]; -- -+ if (ptr >= (const char*)strings + strings_size) -+ G_THROW( "DjVu document is corrupted (DjVmDir)" ); - file->id=ptr; - ptr+=file->id.length()+1; - if (file->flags & File::HAS_NAME) - { -- file->name=ptr; -- ptr+=file->name.length()+1; -- } else -+ file->name=ptr; -+ ptr+=file->name.length()+1; -+ } -+ else - { - file->name=file->id; - } - if (file->flags & File::HAS_TITLE) - { -- file->title=ptr; -- ptr+=file->title.length()+1; -- } else -- file->title=file->id; -- /* msr debug: multipage file, file->title is null. -+ file->title=ptr; -+ ptr+=file->title.length()+1; -+ } -+ else -+ { -+ file->title=file->id; -+ } -+ /* msr debug: multipage file, file->title is null. - DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << - file->offset << ", " << file->size << ", " << - file->is_page() << "\n"); */ - } - -- // Check that there is only one file with SHARED_ANNO flag on -+ // Check that there is only one file with SHARED_ANNO flag on - int shared_anno_cnt=0; - for(pos=files_list;pos;++pos) - { diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15143.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15143.patch deleted file mode 100644 index ef1905338fb..00000000000 --- a/pkgs/applications/misc/djvulibre/CVE-2019-15143.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f -Author: Leon Bottou -Date: Tue Mar 26 20:45:46 2019 -0400 - - fix for bug #297 - -diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp -index 0a0fac6..5a49015 100644 ---- a/libdjvu/DjVmDir.cpp -+++ b/libdjvu/DjVmDir.cpp -@@ -309,7 +309,7 @@ DjVmDir::decode(const GP &gstr) - { - GP file=files_list[pos]; - if (ptr >= (const char*)strings + strings_size) -- G_THROW( "DjVu document is corrupted (DjVmDir)" ); -+ G_THROW( ByteStream::EndOfFile ); - file->id=ptr; - ptr+=file->id.length()+1; - if (file->flags & File::HAS_NAME) -diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp -index 0e487f0..c2fdbe4 100644 ---- a/libdjvu/GBitmap.cpp -+++ b/libdjvu/GBitmap.cpp -@@ -890,11 +890,13 @@ GBitmap::read_rle_raw(ByteStream &bs) - int c = 0; - while (n >= 0) - { -- bs.read(&h, 1); -+ if (bs.read(&h, 1) <= 0) -+ G_THROW( ByteStream::EndOfFile ); - int x = h; - if (x >= (int)RUNOVERFLOWVALUE) - { -- bs.read(&h, 1); -+ if (bs.read(&h, 1) <= 0) -+ G_THROW( ByteStream::EndOfFile ); - x = h + ((x - (int)RUNOVERFLOWVALUE) << 8); - } - if (c+x > ncolumns) diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15144.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15144.patch deleted file mode 100644 index 6094be88338..00000000000 --- a/pkgs/applications/misc/djvulibre/CVE-2019-15144.patch +++ /dev/null @@ -1,111 +0,0 @@ -commit e15d51510048927f172f1bf1f27ede65907d940d -Author: Leon Bottou -Date: Mon Apr 8 22:25:55 2019 -0400 - - bug 299 fixed - -diff --git a/libdjvu/GContainer.h b/libdjvu/GContainer.h -index 96b067c..0140211 100644 ---- a/libdjvu/GContainer.h -+++ b/libdjvu/GContainer.h -@@ -550,52 +550,61 @@ public: - template void - GArrayTemplate::sort(int lo, int hi) - { -- if (hi <= lo) -- return; -- if (hi > hibound || lo hibound || lo=lo) && !(data[j]<=tmp)) -- data[j+1] = data[j]; -- data[j+1] = tmp; -+ for (int i=lo+1; i<=hi; i++) -+ { -+ int j = i; -+ TYPE tmp = data[i]; -+ while ((--j>=lo) && !(data[j]<=tmp)) -+ data[j+1] = data[j]; -+ data[j+1] = tmp; -+ } -+ return; - } -- return; -- } -- // -- determine suitable quick-sort pivot -- TYPE tmp = data[lo]; -- TYPE pivot = data[(lo+hi)/2]; -- if (pivot <= tmp) -- { tmp = pivot; pivot=data[lo]; } -- if (data[hi] <= tmp) -- { pivot = tmp; } -- else if (data[hi] <= pivot) -- { pivot = data[hi]; } -- // -- partition set -- int h = hi; -- int l = lo; -- while (l < h) -- { -- while (! (pivot <= data[l])) l++; -- while (! (data[h] <= pivot)) h--; -- if (l < h) -+ // -- determine median-of-three pivot -+ TYPE tmp = data[lo]; -+ TYPE pivot = data[(lo+hi)/2]; -+ if (pivot <= tmp) -+ { tmp = pivot; pivot=data[lo]; } -+ if (data[hi] <= tmp) -+ { pivot = tmp; } -+ else if (data[hi] <= pivot) -+ { pivot = data[hi]; } -+ // -- partition set -+ int h = hi; -+ int l = lo; -+ while (l < h) - { -- tmp = data[l]; -- data[l] = data[h]; -- data[h] = tmp; -- l = l+1; -- h = h-1; -+ while (! (pivot <= data[l])) l++; -+ while (! (data[h] <= pivot)) h--; -+ if (l < h) -+ { -+ tmp = data[l]; -+ data[l] = data[h]; -+ data[h] = tmp; -+ l = l+1; -+ h = h-1; -+ } -+ } -+ // -- recurse, small partition first -+ // tail-recursion elimination -+ if (h - lo <= hi - l) { -+ sort(lo,h); -+ lo = l; // sort(l,hi) -+ } else { -+ sort(l,hi); -+ hi = h; // sort(lo,h) - } - } -- // -- recursively restart -- sort(lo, h); -- sort(l, hi); - } - - template inline TYPE& diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15145.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15145.patch deleted file mode 100644 index 01108f9ee73..00000000000 --- a/pkgs/applications/misc/djvulibre/CVE-2019-15145.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 9658b01431cd7ff6344d7787f855179e73fe81a7 -Author: Leon Bottou -Date: Mon Apr 8 22:55:38 2019 -0400 - - fix bug #298 - -diff --git a/libdjvu/GBitmap.h b/libdjvu/GBitmap.h -index e8e0c9b..ca89a19 100644 ---- a/libdjvu/GBitmap.h -+++ b/libdjvu/GBitmap.h -@@ -566,7 +566,7 @@ GBitmap::operator[](int row) - { - if (!bytes) - uncompress(); -- if (row<0 || row>=nrows) { -+ if (row<0 || row>=nrows || !bytes) { - #ifndef NDEBUG - if (zerosize < bytes_per_row + border) - G_THROW( ERR_MSG("GBitmap.zero_small") ); -@@ -581,7 +581,7 @@ GBitmap::operator[](int row) const - { - if (!bytes) - ((GBitmap*)this)->uncompress(); -- if (row<0 || row>=nrows) { -+ if (row<0 || row>=nrows || !bytes) { - #ifndef NDEBUG - if (zerosize < bytes_per_row + border) - G_THROW( ERR_MSG("GBitmap.zero_small") ); diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-18804.patch b/pkgs/applications/misc/djvulibre/CVE-2019-18804.patch deleted file mode 100644 index 132fed79488..00000000000 --- a/pkgs/applications/misc/djvulibre/CVE-2019-18804.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125 -Author: Leon Bottou -Date: Thu Oct 17 22:20:31 2019 -0400 - - Fixed bug 309 - -diff --git a/libdjvu/IW44EncodeCodec.cpp b/libdjvu/IW44EncodeCodec.cpp -index 00752a0..f81eaeb 100644 ---- a/libdjvu/IW44EncodeCodec.cpp -+++ b/libdjvu/IW44EncodeCodec.cpp -@@ -405,7 +405,7 @@ filter_fv(short *p, int w, int h, int rowsize, int scale) - int y = 0; - int s = scale*rowsize; - int s3 = s+s+s; -- h = ((h-1)/scale)+1; -+ h = (h>0) ? ((h-1)/scale)+1 : 0; - y += 1; - p += s; - while (y-3 < h) -diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp -index 6d0df3b..7109952 100644 ---- a/tools/ddjvu.cpp -+++ b/tools/ddjvu.cpp -@@ -279,7 +279,7 @@ render(ddjvu_page_t *page, int pageno) - prect.h = (ih * 100) / dpi; - } - /* Process aspect ratio */ -- if (flag_aspect <= 0) -+ if (flag_aspect <= 0 && iw>0 && ih>0) - { - double dw = (double)iw / prect.w; - double dh = (double)ih / prect.h; diff --git a/pkgs/applications/misc/djvulibre/default.nix b/pkgs/applications/misc/djvulibre/default.nix index d4384e829cf..5119dd48e0d 100644 --- a/pkgs/applications/misc/djvulibre/default.nix +++ b/pkgs/applications/misc/djvulibre/default.nix @@ -8,11 +8,11 @@ stdenv.mkDerivation rec { pname = "djvulibre"; - version = "3.5.27"; + version = "3.5.28"; src = fetchurl { url = "mirror://sourceforge/djvu/${pname}-${version}.tar.gz"; - sha256 = "0psh3zl9dj4n4r3lx25390nx34xz0bg0ql48zdskhq354ljni5p6"; + sha256 = "1p1fiygq9ny8aimwc4vxwjc6k9ykgdsq1sq06slfbzalfvm0kl7w"; }; outputs = [ "bin" "dev" "out" ]; @@ -24,21 +24,10 @@ stdenv.mkDerivation rec { libiconv ]; - patches = [ - ./CVE-2019-18804.patch - # This one is needed to make the following - # two CVE patches apply cleanly - ./fix_hongfuzz_crash.patch - ./CVE-2019-15142.patch - ./CVE-2019-15143.patch - ./CVE-2019-15144.patch - ./CVE-2019-15145.patch - ]; - meta = with lib; { description = "The big set of CLI tools to make/modify/optimize/show/export DJVU files"; homepage = "http://djvu.sourceforge.net"; - license = licenses.gpl2; + license = licenses.gpl2Plus; maintainers = with maintainers; [ Anton-Latukha ]; platforms = platforms.all; }; diff --git a/pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch b/pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch deleted file mode 100644 index 609b41cd9db..00000000000 --- a/pkgs/applications/misc/djvulibre/fix_hongfuzz_crash.patch +++ /dev/null @@ -1,51 +0,0 @@ -commit 89d71b01d606e57ecec2c2930c145bb20ba5bbe3 -Author: Leon Bottou -Date: Fri Jul 13 08:46:22 2018 -0400 - - fix hongfuzz crash. - -diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp -index d322323..a6a39e0 100644 ---- a/libdjvu/DjVmDir.cpp -+++ b/libdjvu/DjVmDir.cpp -@@ -299,7 +299,13 @@ DjVmDir::decode(const GP &gstr) - memcpy((char*) strings+strings_size, buffer, length); - } - DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); -- -+ if (strings[strings.size()-1] != 0) -+ { -+ int strings_size=strings.size(); -+ strings.resize(strings_size+1); -+ strings[strings_size] = 0; -+ } -+ - // Copy names into the files - const char * ptr=strings; - for(pos=files_list;pos;++pos) -diff --git a/libdjvu/miniexp.cpp b/libdjvu/miniexp.cpp -index 6a5cd90..828addc 100644 ---- a/libdjvu/miniexp.cpp -+++ b/libdjvu/miniexp.cpp -@@ -1065,7 +1065,7 @@ print_c_string(const char *s, char *d, int flags, size_t len) - c = (unsigned char)(*s++); - if (char_quoted(c, flags)) - { -- char buffer[10]; -+ char buffer[16]; /* 10+1 */ - static const char *tr1 = "\"\\tnrbf"; - static const char *tr2 = "\"\\\t\n\r\b\f"; - buffer[0] = buffer[1] = 0; -diff --git a/tools/csepdjvu.cpp b/tools/csepdjvu.cpp -index 7ed13ad..fab9472 100644 ---- a/tools/csepdjvu.cpp -+++ b/tools/csepdjvu.cpp -@@ -1834,7 +1834,7 @@ main(int argc, const char **argv) - ByteStream::create(GURL::Filename::UTF8(arg),"rb"); - BufferByteStream ibs(*fbs); - do { -- char pagename[16]; -+ char pagename[20]; - sprintf(pagename, "p%04d.djvu", ++pageno); - if (opts.verbose > 1) - DjVuPrintErrorUTF8("%s","--------------------\n");