diff options
Diffstat (limited to 'pkgs/applications/misc/djvulibre/CVE-2019-15142.patch')
-rw-r--r-- | pkgs/applications/misc/djvulibre/CVE-2019-15142.patch | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch new file mode 100644 index 00000000000..89ff3759451 --- /dev/null +++ b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch @@ -0,0 +1,72 @@ +commit 970fb11a296b5bbdc5e8425851253d2c5913c45e +Author: Leon Bottou <leon@bottou.org> +Date: Tue Mar 26 20:36:31 2019 -0400 + + Fix bug#296 + +diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp +index a6a39e0..0a0fac6 100644 +--- a/libdjvu/DjVmDir.cpp ++++ b/libdjvu/DjVmDir.cpp +@@ -299,42 +299,44 @@ DjVmDir::decode(const GP<ByteStream> &gstr) + memcpy((char*) strings+strings_size, buffer, length); + } + DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n"); +- if (strings[strings.size()-1] != 0) +- { +- int strings_size=strings.size(); +- strings.resize(strings_size+1); +- strings[strings_size] = 0; +- } ++ int strings_size=strings.size(); ++ strings.resize(strings_size+3); ++ memset((char*) strings+strings_size, 0, 4); + +- // Copy names into the files ++ // Copy names into the files + const char * ptr=strings; + for(pos=files_list;pos;++pos) + { + GP<File> file=files_list[pos]; +- ++ if (ptr >= (const char*)strings + strings_size) ++ G_THROW( "DjVu document is corrupted (DjVmDir)" ); + file->id=ptr; + ptr+=file->id.length()+1; + if (file->flags & File::HAS_NAME) + { +- file->name=ptr; +- ptr+=file->name.length()+1; +- } else ++ file->name=ptr; ++ ptr+=file->name.length()+1; ++ } ++ else + { + file->name=file->id; + } + if (file->flags & File::HAS_TITLE) + { +- file->title=ptr; +- ptr+=file->title.length()+1; +- } else +- file->title=file->id; +- /* msr debug: multipage file, file->title is null. ++ file->title=ptr; ++ ptr+=file->title.length()+1; ++ } ++ else ++ { ++ file->title=file->id; ++ } ++ /* msr debug: multipage file, file->title is null. + DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " << + file->offset << ", " << file->size << ", " << + file->is_page() << "\n"); */ + } + +- // Check that there is only one file with SHARED_ANNO flag on ++ // Check that there is only one file with SHARED_ANNO flag on + int shared_anno_cnt=0; + for(pos=files_list;pos;++pos) + { |