summary refs log tree commit diff
path: root/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/applications/misc/djvulibre/CVE-2019-15142.patch')
-rw-r--r--pkgs/applications/misc/djvulibre/CVE-2019-15142.patch72
1 files changed, 72 insertions, 0 deletions
diff --git a/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch
new file mode 100644
index 00000000000..89ff3759451
--- /dev/null
+++ b/pkgs/applications/misc/djvulibre/CVE-2019-15142.patch
@@ -0,0 +1,72 @@
+commit 970fb11a296b5bbdc5e8425851253d2c5913c45e
+Author: Leon Bottou <leon@bottou.org>
+Date:   Tue Mar 26 20:36:31 2019 -0400
+
+    Fix bug#296
+
+diff --git a/libdjvu/DjVmDir.cpp b/libdjvu/DjVmDir.cpp
+index a6a39e0..0a0fac6 100644
+--- a/libdjvu/DjVmDir.cpp
++++ b/libdjvu/DjVmDir.cpp
+@@ -299,42 +299,44 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
+          memcpy((char*) strings+strings_size, buffer, length);
+       }
+       DEBUG_MSG("size of decompressed names block=" << strings.size() << "\n");
+-      if (strings[strings.size()-1] != 0)
+-        {
+-         int strings_size=strings.size();
+-         strings.resize(strings_size+1);
+-         strings[strings_size] = 0;
+-        }
++      int strings_size=strings.size();
++      strings.resize(strings_size+3);
++      memset((char*) strings+strings_size, 0, 4);
+       
+-         // Copy names into the files
++      // Copy names into the files
+       const char * ptr=strings;
+       for(pos=files_list;pos;++pos)
+       {
+          GP<File> file=files_list[pos];
+-
++         if (ptr >= (const char*)strings + strings_size)
++           G_THROW( "DjVu document is corrupted (DjVmDir)" );
+          file->id=ptr;
+          ptr+=file->id.length()+1;
+          if (file->flags & File::HAS_NAME)
+          {
+-            file->name=ptr;
+-            ptr+=file->name.length()+1;
+-         } else
++           file->name=ptr;
++           ptr+=file->name.length()+1;
++         }
++         else
+          {
+             file->name=file->id;
+          }
+          if (file->flags & File::HAS_TITLE)
+          {
+-            file->title=ptr;
+-       ptr+=file->title.length()+1;
+-         } else
+-       file->title=file->id;
+-   /* msr debug:  multipage file, file->title is null.  
++           file->title=ptr;
++           ptr+=file->title.length()+1;
++         }
++         else
++         {
++           file->title=file->id;
++         }
++         /* msr debug:  multipage file, file->title is null.  
+          DEBUG_MSG(file->name << ", " << file->id << ", " << file->title << ", " <<
+                    file->offset << ", " << file->size << ", " <<
+                    file->is_page() << "\n"); */
+       }
+ 
+-         // Check that there is only one file with SHARED_ANNO flag on
++      // Check that there is only one file with SHARED_ANNO flag on
+       int shared_anno_cnt=0;
+       for(pos=files_list;pos;++pos)
+       {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-10 04:33:43 +0000