bump
On Fri, Sep 17, 2021 at 12:17:25PM +0200, Moritz Buhl wrote:
> Dear ports@,
>
> updating graphics/djvulibre to 3.5.28 fixes the following bugs:
> CVE-2021-3630: out-of-bounds write
> CVE-2019-15143: infinite recoursion
> CVE-2019-15142: heap buffer over-read
> CVE-2019-18804: NULL pointer deref
>
> I added more bug fixes that are not yet in a release.
>
> For testing I compiled graphics/djviewer and opened two old ebooks.
> I also make tested graphics/ImageMagick.
>
> mbuhl
>
> Index: graphics/djvulibre/Makefile
> ===================================================================
> RCS file: /cvs/ports/graphics/djvulibre/Makefile,v
> retrieving revision 1.45
> diff -u -p -r1.45 Makefile
> --- graphics/djvulibre/Makefile 12 Jul 2019 20:46:57 -0000 1.45
> +++ graphics/djvulibre/Makefile 16 Sep 2021 21:01:47 -0000
> @@ -2,9 +2,8 @@
>
> COMMENT= view, decode and encode DjVu files
>
> -DISTNAME= djvulibre-3.5.27
> -REVISION= 6
> -SHARED_LIBS= djvulibre 26.0 # 27.0
> +DISTNAME= djvulibre-3.5.28
> +SHARED_LIBS= djvulibre 27.0 # 28.0
> CATEGORIES= graphics print
>
> HOMEPAGE= http://djvu.sourceforge.net/
> Index: graphics/djvulibre/distinfo
> ===================================================================
> RCS file: /cvs/ports/graphics/djvulibre/distinfo,v
> retrieving revision 1.9
> diff -u -p -r1.9 distinfo
> --- graphics/djvulibre/distinfo 12 May 2015 16:10:27 -0000 1.9
> +++ graphics/djvulibre/distinfo 16 Sep 2021 21:01:47 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (djvulibre-3.5.27.tar.gz) =
> 5pZoJSVlYDh1+4hQDN4Cv5PRLUijiE5HJpbIlugfUF8=
> -SIZE (djvulibre-3.5.27.tar.gz) = 3648522
> +SHA256 (djvulibre-3.5.28.tar.gz) =
> /NAJ6nZU/eWoNgDrgHV706dpmOR9E8ZrVMjbhJ+PLtw=
> +SIZE (djvulibre-3.5.28.tar.gz) = 3701161
> Index: graphics/djvulibre/patches/patch-configure_ac
> ===================================================================
> RCS file: /cvs/ports/graphics/djvulibre/patches/patch-configure_ac,v
> retrieving revision 1.2
> diff -u -p -r1.2 patch-configure_ac
> --- graphics/djvulibre/patches/patch-configure_ac 12 May 2015 16:10:27
> -0000 1.2
> +++ graphics/djvulibre/patches/patch-configure_ac 16 Sep 2021 21:01:47
> -0000
> @@ -1,7 +1,8 @@
> $OpenBSD: patch-configure_ac,v 1.2 2015/05/12 16:10:27 shadchin Exp $
> ---- configure.ac.orig Sun Mar 29 10:30:55 2015
> -+++ configure.ac Sun Mar 29 10:31:17 2015
> -@@ -129,7 +129,6 @@ RM="$RM -f"
> +Index: configure.ac
> +--- configure.ac.orig
> ++++ configure.ac
> +@@ -131,7 +131,6 @@ RM="$RM -f"
> # Libtool & Compilers
> AC_PROG_CC
> AC_PROG_CXX
> Index: graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Fix CVE-2021-32492: Out-of-Bounds Read
> +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
> +
> +Index: libdjvu/DataPool.cpp
> +--- libdjvu/DataPool.cpp.orig
> ++++ libdjvu/DataPool.cpp
> +@@ -791,6 +791,9 @@ DataPool::create(const GP<DataPool> & pool, int start,
> + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << "
> start=" << start << " length= " << length << "\n");
> + DEBUG_MAKE_INDENT(3);
> +
> ++ if (!pool)
> ++ G_THROW( ERR_MSG("DataPool.zero_DataPool") );
> ++
> + DataPool *xpool=new DataPool();
> + GP<DataPool> retval=xpool;
> + xpool->init();
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp
> --- graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp 2 Mar 2016
> 20:10:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,94 +0,0 @@
> -$OpenBSD: patch-libdjvu_DjVmDir_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $
> -
> -"accept documents with duplicate page titles"
> -
> -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> -
> ---- libdjvu/DjVmDir.cpp.orig Tue Jul 8 23:15:07 2014
> -+++ libdjvu/DjVmDir.cpp Wed Feb 3 01:51:28 2016
> -@@ -223,7 +223,6 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
> - page2file.resize(-1);
> - name2file.empty();
> - id2file.empty();
> -- title2file.empty();
> -
> - int ver=str.read8();
> - bool bundled=(ver & 0x80)!=0;
> -@@ -375,18 +374,6 @@ DjVmDir::decode(const GP<ByteStream> &gstr)
> - G_THROW( ERR_MSG("DjVmDir.dupl_id") "\t" + file->id);
> - id2file[file->id]=file;
> - }
> --
> -- // Generate title2file map
> -- for(pos=files_list;pos;++pos)
> -- {
> -- GP<File> file=files_list[pos];
> -- if (file->title.length())
> -- {
> -- if (title2file.contains(file->title))
> -- G_THROW( ERR_MSG("DjVmDir.dupl_title") "\t" + file->title);
> -- title2file[file->title]=file;
> -- }
> -- }
> - }
> - }
> -
> -@@ -556,11 +543,19 @@ DjVmDir::id_to_file(const GUTF8String &id) const
> - }
> -
> - GP<DjVmDir::File>
> --DjVmDir::title_to_file(const GUTF8String &title) const
> -+DjVmDir::title_to_file(const GUTF8String &title, GPosition spos) const
> - {
> -- GCriticalSectionLock lock((GCriticalSection *) &class_lock);
> -- GPosition pos;
> -- return (title2file.contains(title,
> pos))?title2file[pos]:(GP<DjVmDir::File>(0));
> -+ if (! title)
> -+ return 0;
> -+ GCriticalSectionLock lock((GCriticalSection *) &class_lock);
> -+ if (! spos)
> -+ for (GPosition pos = spos; pos; ++pos)
> -+ if (files_list[pos]->is_page() && files_list[pos]->title == title)
> -+ return files_list[pos];
> -+ for (GPosition pos = files_list; pos; ++pos)
> -+ if (files_list[pos]->is_page() && files_list[pos]->title == title)
> -+ return files_list[pos];
> -+ return 0;
> - }
> -
> - GP<DjVmDir::File>
> -@@ -661,14 +656,7 @@ DjVmDir::insert_file(const GP<File> & file, int pos_nu
> - G_THROW( ERR_MSG("DjVmDir.dupl_name2") "\t" + file->name);
> - name2file[file->name]=file;
> - id2file[file->id]=file;
> -- if (file->title.length())
> -- {
> -- if (title2file.contains(file->title))
> -- // duplicate titles may become ok some day
> -- G_THROW( ERR_MSG("DjVmDir.dupl_title2") "\t" + file->title);
> -- title2file[file->title]=file;
> -- }
> --
> -+
> - // Make sure that there is no more than one file with shared
> annotations
> - if (file->is_shared_anno())
> - {
> -@@ -727,7 +715,6 @@ DjVmDir::delete_file(const GUTF8String &id)
> - {
> - name2file.del(f->name);
> - id2file.del(f->id);
> -- title2file.del(f->title);
> - if (f->is_page())
> - {
> - for(int page=0;page<page2file.size();page++)
> -@@ -788,9 +775,7 @@ DjVmDir::set_file_title(const GUTF8String &id, const G
> - if (!id2file.contains(id, pos))
> - G_THROW( ERR_MSG("DjVmDir.no_info") "\t" + GUTF8String(id));
> - GP<File> file=id2file[pos];
> -- title2file.del(file->title);
> - file->title=title;
> -- title2file[title]=file;
> - }
> -
> - GPList<DjVmDir::File>
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h
> --- graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h 2 Mar 2016
> 20:10:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,41 +0,0 @@
> -$OpenBSD: patch-libdjvu_DjVmDir_h,v 1.1 2016/03/02 20:10:36 juanfra Exp $
> -
> -"accept documents with duplicate page titles"
> -
> -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> -
> ---- libdjvu/DjVmDir.h.orig Tue Jul 8 23:15:07 2014
> -+++ libdjvu/DjVmDir.h Wed Feb 3 01:51:28 2016
> -@@ -181,7 +181,8 @@ class DJVUAPI DjVmDir : public GPEnabled (public)
> - /** Translates file IDs to file records. */
> - GP<File> id_to_file(const GUTF8String &id) const;
> - /** Translates file shortcuts to file records. */
> -- GP<File> title_to_file(const GUTF8String &title) const;
> -+ GP<File> title_to_file(const GUTF8String &title, GPosition spos) const;
> -+ GP<File> title_to_file(const GUTF8String &title) const;
> - /** Access file record by position. */
> - GP<File> pos_to_file(int fileno, int *ppageno=0) const;
> - /** Returns position of the file in the directory. */
> -@@ -216,7 +217,6 @@ class DJVUAPI DjVmDir : public GPEnabled (public)
> - GPArray<File> page2file;
> - GPMap<GUTF8String, File> name2file;
> - GPMap<GUTF8String, File> id2file;
> -- GPMap<GUTF8String, File> title2file;
> - private: //dummy stuff
> - static void decode(ByteStream *);
> - static void encode(ByteStream *);
> -@@ -438,6 +438,13 @@ DjVmDir::is_indirect(void) const
> - GCriticalSectionLock lock((GCriticalSection *) &class_lock);
> - return ( files_list.size() && files_list[files_list] != 0 &&
> - files_list[files_list]->offset==0 );
> -+}
> -+
> -+inline GP<DjVmDir::File>
> -+DjVmDir::title_to_file(const GUTF8String &title) const
> -+{
> -+ GPosition pos;
> -+ return title_to_file(title, pos);
> - }
> -
> -
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp
> --- graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp 2 Mar 2016
> 20:10:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,37 +0,0 @@
> -$OpenBSD: patch-libdjvu_DjVuDocument_cpp,v 1.1 2016/03/02 20:10:36 juanfra
> Exp $
> -
> -"accept documents with duplicate page titles"
> -
> -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> -
> ---- libdjvu/DjVuDocument.cpp.orig Mon Sep 22 00:06:03 2014
> -+++ libdjvu/DjVuDocument.cpp Wed Feb 3 01:51:28 2016
> -@@ -805,11 +805,9 @@ DjVuDocument::id_to_url(const GUTF8String & id) const
> - {
> - GP<DjVmDir::File> file=djvm_dir->id_to_file(id);
> - if (!file)
> -- {
> - file=djvm_dir->name_to_file(id);
> -- if (!file)
> -- file=djvm_dir->title_to_file(id);
> -- }
> -+ if (!file)
> -+ file=djvm_dir->title_to_file(id);
> - if (file)
> - return GURL::UTF8(file->get_load_name(),init_url);
> - }
> -@@ -819,11 +817,9 @@ DjVuDocument::id_to_url(const GUTF8String & id) const
> - {
> - GP<DjVmDir::File> file=djvm_dir->id_to_file(id);
> - if (!file)
> -- {
> - file=djvm_dir->name_to_file(id);
> -- if (!file)
> -- file=djvm_dir->title_to_file(id);
> -- }
> -+ if (!file)
> -+ file=djvm_dir->title_to_file(id);
> - if (file)
> - return GURL::UTF8(file->get_load_name(),init_url.base());
> - }
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h
> --- graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h 2 Mar 2016
> 20:10:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,17 +0,0 @@
> -$OpenBSD: patch-libdjvu_DjVuDocument_h,v 1.1 2016/03/02 20:10:36 juanfra Exp
> $
> -
> -"accept documents with duplicate page titles"
> -
> -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> -
> ---- libdjvu/DjVuDocument.h.orig Tue Jul 8 23:15:07 2014
> -+++ libdjvu/DjVuDocument.h Wed Feb 3 01:51:28 2016
> -@@ -524,7 +524,6 @@ class DJVUAPI DjVuDocument : public DjVuPort (public)
> - \begin{enumerate}
> - \item File ID from the \Ref{DjVmDir}
> - \item File name from the \Ref{DjVmDir}
> -- \item File title from the \Ref{DjVmDir}
> - \end{enumerate}
> - Then for #BUNDLED# document the URL is obtained by
> - appending the #name# of the found file to the document's
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +
> +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
> +
> +Index: libdjvu/DjVuFile.cpp
> +--- libdjvu/DjVuFile.cpp.orig
> ++++ libdjvu/DjVuFile.cpp
> +@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int fil
> + GURL incl_url=pcaster->id_to_url(this, incl_str);
> + if (incl_url.is_empty()) // Fallback. Should never be used.
> + incl_url=GURL::UTF8(incl_str,url.base());
> ++ if (incl_url == url) // Infinite loop avoidance
> ++ G_THROW( ERR_MSG("DjVuFile.malformed") );
> +
> + // Now see if there is already a file with this *name* created
> + {
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h
> --- graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h 2 Mar
> 2016 20:10:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,20 +0,0 @@
> -$OpenBSD: patch-libdjvu_DjVuMessageLite_h,v 1.1 2016/03/02 20:10:36 juanfra
> Exp $
> -
> -"accept documents with duplicate page titles"
> -
> -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> -
> ---- libdjvu/DjVuMessageLite.h.orig Tue Jul 8 23:15:07 2014
> -+++ libdjvu/DjVuMessageLite.h Wed Feb 3 01:51:28 2016
> -@@ -89,8 +89,8 @@ class ByteStream;
> - separator ::= newline |
> - newline | separator
> -
> -- single_message ::= message_ID |
> -- message_ID parameters
> -+ single_message ::= CTRLC message_ID |
> -+ CTRLC message_ID parameters
> -
> - parameters ::= tab string |
> - tab string parameters
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp
> ===================================================================
> RCS file:
> /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-libdjvu_DjVuPalette_cpp
> --- graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp 20 Apr 2017
> 01:40:33 -0000 1.1
> +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -1,11 +1,12 @@
> $OpenBSD: patch-libdjvu_DjVuPalette_cpp,v 1.1 2017/04/20 01:40:33 espie Exp $
> ---- libdjvu/DjVuPalette.cpp.orig Thu Apr 20 03:30:12 2017
> -+++ libdjvu/DjVuPalette.cpp Thu Apr 20 03:38:11 2017
> -@@ -98,6 +98,7 @@ inline unsigned char
> +Index: libdjvu/DjVuPalette.cpp
> +--- libdjvu/DjVuPalette.cpp.orig
> ++++ libdjvu/DjVuPalette.cpp
> +@@ -99,6 +99,7 @@ inline unsigned char
> umin(unsigned char a, unsigned char b)
> { return (a>b) ? b : a; }
>
> +#define fmin myfmin
> inline float
> - fmin(float a, float b)
> + fmin(float a, float b)
> { return (a>b) ? b : a; }
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -0,0 +1,28 @@
> +$OpenBSD$
> +
> +Fix CVE-2021-3500: Stack-Based Buffer Overflow
> +https://bugzilla.redhat.com/show_bug.cgi?id=1943411
> +
> +Index: libdjvu/DjVuPort.cpp
> +--- libdjvu/DjVuPort.cpp.orig
> ++++ libdjvu/DjVuPort.cpp
> +@@ -507,10 +507,19 @@ GP<DjVuFile>
> + DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id)
> + {
> + GPList<DjVuPort> list;
> ++
> ++ if (!!opening_id && opening_id == id)
> ++ G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") );
> ++ else
> ++ opening_id = id;
> ++
> + compute_closure(source, list, true);
> + GP<DjVuFile> file;
> + for(GPosition pos=list;pos;++pos)
> + if ((file=list[pos]->id_to_file(source, id))) break;
> ++
> ++ opening_id = GUTF8String();
> ++
> + return file;
> + }
> +
> Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h
> diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h 16 Sep 2021
> 21:01:47 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +
> +Fix CVE-2021-3500: Stack-Based Buffer Overflow
> +https://bugzilla.redhat.com/show_bug.cgi?id=1943411
> +
> +Index: libdjvu/DjVuPort.h
> +--- libdjvu/DjVuPort.h.orig
> ++++ libdjvu/DjVuPort.h
> +@@ -484,6 +484,7 @@ class DJVUAPI DjVuPortcaster (private)
> + const DjVuPort *dst, int distance);
> + void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list,
> + bool sorted=false);
> ++ GUTF8String opening_id;
> + };
> +
> +
> Index: graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -0,0 +1,17 @@
> +$OpenBSD$
> +
> +Fix CVE-2021-32493: Integer Overflow Leading to Heap Buffer Overflow
> +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
> +
> +Index: libdjvu/GBitmap.cpp
> +--- libdjvu/GBitmap.cpp.orig
> ++++ libdjvu/GBitmap.cpp
> +@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs)
> + // initialize pixel array
> + if (nrows==0 || ncolumns==0)
> + G_THROW( ERR_MSG("GBitmap.not_init") );
> ++ if (ncolumns + border != (unsigned short)(ncolumns+border))
> ++ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)");
> + bytes_per_row = ncolumns + border;
> + if (runs==0)
> + G_THROW( ERR_MSG("GBitmap.null_arg") );
> Index: graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp
> diff -N graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -0,0 +1,22 @@
> +$OpenBSD$
> +
> +Fix CVE-2021-32490: out of bounds write
> +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
> +
> +Index: libdjvu/IW44Image.cpp
> +--- libdjvu/IW44Image.cpp.orig
> ++++ libdjvu/IW44Image.cpp
> +@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize,
> + // Allocate reconstruction buffer
> + short *data16;
> + size_t sz = bw * bh;
> ++ if (sz == 0)
> ++ G_THROW("IW44Image: image size is zero (corrupted file?)");
> + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow
> + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)");
> + GPBuffer<short> gdata16(data16,sz);
> ++ if (data16 == 0)
> ++ G_THROW("IW44Image: unable to allocate image buffer");
> + // Copy coefficients
> + int i;
> + short *p = data16;
> Index: graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp
> ===================================================================
> RCS file: /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp,v
> retrieving revision 1.2
> diff -u -p -r1.2 patch-libdjvu_miniexp_cpp
> --- graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp 12 May 2015
> 16:10:27 -0000 1.2
> +++ graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp 16 Sep 2021
> 21:01:47 -0000
> @@ -1,7 +1,8 @@
> $OpenBSD: patch-libdjvu_miniexp_cpp,v 1.2 2015/05/12 16:10:27 shadchin Exp $
> ---- libdjvu/miniexp.cpp.orig Wed Feb 11 09:35:37 2015
> -+++ libdjvu/miniexp.cpp Sat Mar 28 21:24:09 2015
> -@@ -1241,7 +1241,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s
> +Index: libdjvu/miniexp.cpp
> +--- libdjvu/miniexp.cpp.orig
> ++++ libdjvu/miniexp.cpp
> +@@ -1300,7 +1300,7 @@ static int stdio_fputs(miniexp_io_t *io, const char *s
>
> static int true_stdio_fgetc(miniexp_io_t *io) {
> FILE *f = (io->data[0]) ? (FILE*)(io->data[0]) : stdin;
> Index: graphics/djvulibre/patches/patch-tools_ddjvu_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-tools_ddjvu_cpp
> diff -N graphics/djvulibre/patches/patch-tools_ddjvu_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ graphics/djvulibre/patches/patch-tools_ddjvu_cpp 16 Sep 2021 21:01:47
> -0000
> @@ -0,0 +1,22 @@
> +$OpenBSD$
> +
> +Fix CVE-2021-32491: Integer Overflow Leading to Heap-Based Buffer Overflow
> +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6
> +
> +Index: tools/ddjvu.cpp
> +--- tools/ddjvu.cpp.orig
> ++++ tools/ddjvu.cpp
> +@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno)
> + } else if (style == DDJVU_FORMAT_GREY8)
> + rowsize = rrect.w;
> + else
> +- rowsize = rrect.w * 3;
> +- if (! (image = (char*)malloc(rowsize * rrect.h)))
> ++ rowsize = rrect.w * 3;
> ++ size_t bufsize = (size_t)rowsize * rrect.h;
> ++ if (bufsize / rowsize != rrect.h)
> ++ die(i18n("Integer overflow when allocating image buffer for page %d"),
> pageno);
> ++ if (! (image = (char*)malloc(bufsize)))
> + die(i18n("Cannot allocate image buffer for page %d"), pageno);
> +
> + /* Render */
> Index: graphics/djvulibre/patches/patch-tools_djvused_cpp
> ===================================================================
> RCS file: graphics/djvulibre/patches/patch-tools_djvused_cpp
> diff -N graphics/djvulibre/patches/patch-tools_djvused_cpp
> --- graphics/djvulibre/patches/patch-tools_djvused_cpp 2 Mar 2016
> 20:10:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,27 +0,0 @@
> -$OpenBSD: patch-tools_djvused_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $
> -
> -"accept documents with duplicate page titles"
> -
> -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/
> -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1
> -
> ---- tools/djvused.cpp.orig Sun Feb 8 20:39:42 2015
> -+++ tools/djvused.cpp Wed Feb 3 01:51:28 2016
> -@@ -66,6 +66,7 @@
> - #include "GString.h"
> - #include "DjVuDocEditor.h"
> - #include "DjVuDumpHelper.h"
> -+#include "DjVuMessageLite.h"
> - #include "BSByteStream.h"
> - #include "DjVuText.h"
> - #include "DjVuAnno.h"
> -@@ -2315,7 +2316,8 @@ execute()
> - G_CATCH(ex)
> - {
> - vprint("Error (%s): %s",
> -- (const char*)ToNative(token), ex.get_cause());
> -+ (const char*)ToNative(token),
> -+ (const char *)DjVuMessageLite::LookUpUTF8(ex.get_cause()));
> - if (! verbose)
> - G_RETHROW;
> - }
> Index: graphics/djvulibre/pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/graphics/djvulibre/pkg/PLIST,v
> retrieving revision 1.10
> diff -u -p -r1.10 PLIST
> --- graphics/djvulibre/pkg/PLIST 1 Jul 2018 18:33:36 -0000 1.10
> +++ graphics/djvulibre/pkg/PLIST 16 Sep 2021 21:01:47 -0000
> @@ -22,7 +22,7 @@
> include/libdjvu/
> include/libdjvu/ddjvuapi.h
> include/libdjvu/miniexp.h
> -lib/libdjvulibre.a
> +@static-lib lib/libdjvulibre.a
> lib/libdjvulibre.la
> @lib lib/libdjvulibre.so.${LIBdjvulibre_VERSION}
> lib/pkgconfig/ddjvuapi.pc
> @@ -72,20 +72,19 @@ share/djvu/pubtext/
> share/djvu/pubtext/DjVuMessages.dtd
> share/djvu/pubtext/DjVuOCR.dtd
> share/djvu/pubtext/DjVuXML-s.dtd
> -share/icons/hicolor/128x128/mimetypes/djvu.png
> -share/icons/hicolor/16x16/mimetypes/djvu.png
> +share/icons/hicolor/128x128/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/16x16/mimetypes/image-vnd.djvu.png
> share/icons/hicolor/20x20/
> share/icons/hicolor/20x20/mimetypes/
> -share/icons/hicolor/20x20/mimetypes/djvu.png
> -share/icons/hicolor/22x22/mimetypes/djvu.png
> -share/icons/hicolor/24x24/mimetypes/djvu.png
> -share/icons/hicolor/256x256/mimetypes/djvu.png
> -share/icons/hicolor/32x32/mimetypes/djvu.png
> -share/icons/hicolor/48x48/mimetypes/djvu.png
> -share/icons/hicolor/64x64/mimetypes/djvu.png
> -share/icons/hicolor/72x72/mimetypes/djvu.png
> -share/icons/hicolor/96x96/mimetypes/djvu.png
> -share/icons/hicolor/scalable/mimetypes/djvu.svgz
> -share/mime/packages/djvulibre-mime.xml
> @tag gtk-update-icon-cache %D/share/icons/hicolor
> @tag update-mime-database
> +share/icons/hicolor/20x20/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/22x22/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/24x24/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/256x256/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/32x32/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/48x48/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/64x64/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/72x72/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/96x96/mimetypes/image-vnd.djvu.png
> +share/icons/hicolor/scalable/mimetypes/image-vnd.djvu.svgz
>
