Control: tags 1052668 + patch Control: tags 1052668 + pending Control: tags 1052669 + patch Control: tags 1052669 + pending
Dear maintainer, I've prepared an NMU for djvulibre (versioned as 3.5.28-2.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should cancel it. cu Adrian
diffstat for djvulibre-3.5.28 djvulibre-3.5.28 changelog | 10 ++++++++++ patches/CVE-2021-46310.patch | 20 ++++++++++++++++++++ patches/CVE-2021-46312.patch | 20 ++++++++++++++++++++ patches/series | 2 ++ 4 files changed, 52 insertions(+) diff -Nru djvulibre-3.5.28/debian/changelog djvulibre-3.5.28/debian/changelog --- djvulibre-3.5.28/debian/changelog 2025-07-04 08:38:58.000000000 +0300 +++ djvulibre-3.5.28/debian/changelog 2025-07-18 20:57:51.000000000 +0300 @@ -1,3 +1,13 @@ +djvulibre (3.5.28-2.2) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2021-46310: Divide by zero in IW44Image::Map::image() + (Closes: #1052668) + * CVE-2021-46312: Divide by zero in IWBitmap::Encode::init() + (Closes: #1052669) + + -- Adrian Bunk <[email protected]> Fri, 18 Jul 2025 20:57:51 +0300 + djvulibre (3.5.28-2.1) unstable; urgency=high * Non-maintainer upload. diff -Nru djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch --- djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch 1970-01-01 02:00:00.000000000 +0200 +++ djvulibre-3.5.28/debian/patches/CVE-2021-46310.patch 2025-07-18 20:57:51.000000000 +0300 @@ -0,0 +1,20 @@ +Description: CVE-2021-46310: Divide by zero in IW44Image::Map::image() +Bug-Debian: https://bugs.debian.org/1052668 +Origin: upstream +Bug: https://sourceforge.net/p/djvu/bugs/345/ + +--- djvulibre-3.5.28.orig/libdjvu/IW44Image.cpp ++++ djvulibre-3.5.28/libdjvu/IW44Image.cpp +@@ -676,10 +676,10 @@ IW44Image::Map::image(signed char *img8, + // Allocate reconstruction buffer + short *data16; + size_t sz = bw * bh; +- if (sz / (size_t)bw != (size_t)bh) // multiplication overflow +- G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); + if (sz == 0) + G_THROW("IW44Image: zero size image (corrupted file?)"); ++ if (sz / (size_t)bw != (size_t)bh) // multiplication overflow ++ G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); + GPBuffer<short> gdata16(data16,sz); + if (data16 == NULL) + G_THROW("IW44Image: unable to allocate image data"); diff -Nru djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch --- djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch 1970-01-01 02:00:00.000000000 +0200 +++ djvulibre-3.5.28/debian/patches/CVE-2021-46312.patch 2025-07-18 20:57:51.000000000 +0300 @@ -0,0 +1,20 @@ +Description: CVE-2021-46312: Divide by zero in IWBitmap::Encode::init() +Bug-Debian: https://bugs.debian.org/1052669 +Bug: https://sourceforge.net/p/djvu/bugs/344/ + +--- djvulibre-3.5.28.orig/libdjvu/IW44EncodeCodec.cpp ++++ djvulibre-3.5.28/libdjvu/IW44EncodeCodec.cpp +@@ -1424,7 +1424,12 @@ IWBitmap::Encode::init(const GBitmap &bm + int h = bm.rows(); + int g = bm.get_grays()-1; + signed char *buffer; +- GPBuffer<signed char> gbuffer(buffer,w*h); ++ size_t sz = w * h; ++ if (sz == 0 || g <= 0) // w or h is zero or g is not positive ++ G_THROW("IWBitmap: zero size image (corrupted file?)"); ++ if (sz / (size_t)w != (size_t)h) // multiplication overflow ++ G_THROW("IWBitmap: image size exceeds maximum (corrupted file?)"); ++ GPBuffer<signed char> gbuffer(buffer,sz); + // Prepare gray level conversion table + signed char bconv[256]; + for (i=0; i<256; i++) diff -Nru djvulibre-3.5.28/debian/patches/series djvulibre-3.5.28/debian/patches/series --- djvulibre-3.5.28/debian/patches/series 2025-07-04 08:38:17.000000000 +0300 +++ djvulibre-3.5.28/debian/patches/series 2025-07-18 20:57:51.000000000 +0300 @@ -6,3 +6,5 @@ 0006-djvulibre-fedora-Patch11-djvulibre-3.5.27-djvuport-s.patch 0007-djvulibre-fedora-Patch12-djvulibre-3.5.27-unsigned-s.patch 0008-Fix-potential-buffer-overflow-in-MMRDecoder.patch +CVE-2021-46310.patch +CVE-2021-46312.patch
