105 lines
4.3 KiB
Diff
105 lines
4.3 KiB
Diff
From cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 Mon Sep 17 00:00:00 2001
|
|
From: Leon Bottou <leon@bottou.org>
|
|
Date: Tue, 11 May 2021 14:44:09 -0400
|
|
Subject: [PATCH] Reviewed Fedora patches and adopted some of them (or variants
|
|
thereof)
|
|
|
|
- Patch0: djvulibre-3.5.22-cdefs.patch (forward ported)
|
|
Does not make imuch sense. GSmartPointer.h already includes "stddef.h"
|
|
- Patch6: djvulibre-3.5.27-export-file.patch (forward ported)
|
|
Incorrect: inkscape command is --export-png, not --export-filename.
|
|
- Patch8: djvulibre-3.5.27-check-image-size.patch (forward ported)
|
|
Correct: adopted a variant of this
|
|
- Patch9: djvulibre-3.5.27-integer-overflow.patch (forward ported)
|
|
Correct: adopted a variant of this
|
|
- Patch10: djvulibre-3.5.27-check-input-pool.patch (forward ported)
|
|
Adopted: input validation never hurts
|
|
- Patch11: djvulibre-3.5.27-djvuport-stack-overflow.patch (forward ported)
|
|
Dubious: Instead I changed djvufile to prevent a file from including itself
|
|
which is the only way I can imagine to create an file creation loop.
|
|
- Patch12: djvulibre-3.5.27-unsigned-short-overflow.patch (forward ported)
|
|
Adopted: but without including limits.h
|
|
---
|
|
libdjvu/DataPool.cpp | 3 ++-
|
|
libdjvu/DjVuFile.cpp | 2 ++
|
|
libdjvu/GBitmap.cpp | 2 ++
|
|
libdjvu/IW44Image.cpp | 4 ++++
|
|
tools/ddjvu.cpp | 7 +++++--
|
|
5 files changed, 15 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libdjvu/DataPool.cpp b/libdjvu/DataPool.cpp
|
|
index 5fcbedf..b58fc45 100644
|
|
--- a/libdjvu/DataPool.cpp
|
|
+++ b/libdjvu/DataPool.cpp
|
|
@@ -790,7 +790,8 @@ DataPool::create(const GP<DataPool> & pool, int start, int length)
|
|
{
|
|
DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << " start=" << start << " length= " << length << "\n");
|
|
DEBUG_MAKE_INDENT(3);
|
|
-
|
|
+ if (!pool)
|
|
+ G_THROW( ERR_MSG("DataPool.zero_DataPool") );
|
|
DataPool *xpool=new DataPool();
|
|
GP<DataPool> retval=xpool;
|
|
xpool->init();
|
|
diff --git a/libdjvu/DjVuFile.cpp b/libdjvu/DjVuFile.cpp
|
|
index 143346b..2587491 100644
|
|
--- a/libdjvu/DjVuFile.cpp
|
|
+++ b/libdjvu/DjVuFile.cpp
|
|
@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int file_num)
|
|
GURL incl_url=pcaster->id_to_url(this, incl_str);
|
|
if (incl_url.is_empty()) // Fallback. Should never be used.
|
|
incl_url=GURL::UTF8(incl_str,url.base());
|
|
+ if (incl_url == url) // Infinite loop avoidance
|
|
+ G_THROW( ERR_MSG("DjVuFile.malformed") );
|
|
|
|
// Now see if there is already a file with this *name* created
|
|
{
|
|
diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
|
|
index c2fdbe4..8ad64b2 100644
|
|
--- a/libdjvu/GBitmap.cpp
|
|
+++ b/libdjvu/GBitmap.cpp
|
|
@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs)
|
|
// initialize pixel array
|
|
if (nrows==0 || ncolumns==0)
|
|
G_THROW( ERR_MSG("GBitmap.not_init") );
|
|
+ if (ncolumns + border != (unsigned short)(ncolumns+border))
|
|
+ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)");
|
|
bytes_per_row = ncolumns + border;
|
|
if (runs==0)
|
|
G_THROW( ERR_MSG("GBitmap.null_arg") );
|
|
diff --git a/libdjvu/IW44Image.cpp b/libdjvu/IW44Image.cpp
|
|
index e8d4b44..4a1797e 100644
|
|
--- a/libdjvu/IW44Image.cpp
|
|
+++ b/libdjvu/IW44Image.cpp
|
|
@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, int pixsep, int fast)
|
|
// Allocate reconstruction buffer
|
|
short *data16;
|
|
size_t sz = bw * bh;
|
|
+ if (sz == 0)
|
|
+ G_THROW("IW44Image: image size is zero (corrupted file?)");
|
|
if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
|
|
G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
|
|
GPBuffer<short> gdata16(data16,sz);
|
|
+ if (data16 == 0)
|
|
+ G_THROW("IW44Image: unable to allocate image buffer");
|
|
// Copy coefficients
|
|
int i;
|
|
short *p = data16;
|
|
diff --git a/tools/ddjvu.cpp b/tools/ddjvu.cpp
|
|
index 7109952..e7b489b 100644
|
|
--- a/tools/ddjvu.cpp
|
|
+++ b/tools/ddjvu.cpp
|
|
@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno)
|
|
} else if (style == DDJVU_FORMAT_GREY8)
|
|
rowsize = rrect.w;
|
|
else
|
|
- rowsize = rrect.w * 3;
|
|
- if (! (image = (char*)malloc(rowsize * rrect.h)))
|
|
+ rowsize = rrect.w * 3;
|
|
+ size_t bufsize = (size_t)rowsize * rrect.h;
|
|
+ if (bufsize / rowsize != rrect.h)
|
|
+ die(i18n("Integer overflow when allocating image buffer for page %d"), pageno);
|
|
+ if (! (image = (char*)malloc(bufsize)))
|
|
die(i18n("Cannot allocate image buffer for page %d"), pageno);
|
|
|
|
/* Render */
|