On Mon Oct 11, 2021 at 10:24:33AM +0200, Moritz Buhl wrote: > bump > > On Fri, Sep 17, 2021 at 12:17:25PM +0200, Moritz Buhl wrote: > > Dear ports@, > > > > updating graphics/djvulibre to 3.5.28 fixes the following bugs: > > CVE-2021-3630: out-of-bounds write > > CVE-2019-15143: infinite recoursion > > CVE-2019-15142: heap buffer over-read > > CVE-2019-18804: NULL pointer deref > > > > I added more bug fixes that are not yet in a release. > > > > For testing I compiled graphics/djviewer and opened two old ebooks. > > I also make tested graphics/ImageMagick. > > > > mbuhl
OK rsadowski > > > > Index: graphics/djvulibre/Makefile > > =================================================================== > > RCS file: /cvs/ports/graphics/djvulibre/Makefile,v > > retrieving revision 1.45 > > diff -u -p -r1.45 Makefile > > --- graphics/djvulibre/Makefile 12 Jul 2019 20:46:57 -0000 1.45 > > +++ graphics/djvulibre/Makefile 16 Sep 2021 21:01:47 -0000 > > @@ -2,9 +2,8 @@ > > > > COMMENT= view, decode and encode DjVu files > > > > -DISTNAME= djvulibre-3.5.27 > > -REVISION= 6 > > -SHARED_LIBS= djvulibre 26.0 # 27.0 > > +DISTNAME= djvulibre-3.5.28 > > +SHARED_LIBS= djvulibre 27.0 # 28.0 > > CATEGORIES= graphics print > > > > HOMEPAGE= http://djvu.sourceforge.net/ > > Index: graphics/djvulibre/distinfo > > =================================================================== > > RCS file: /cvs/ports/graphics/djvulibre/distinfo,v > > retrieving revision 1.9 > > diff -u -p -r1.9 distinfo > > --- graphics/djvulibre/distinfo 12 May 2015 16:10:27 -0000 1.9 > > +++ graphics/djvulibre/distinfo 16 Sep 2021 21:01:47 -0000 > > @@ -1,2 +1,2 @@ > > -SHA256 (djvulibre-3.5.27.tar.gz) = > > 5pZoJSVlYDh1+4hQDN4Cv5PRLUijiE5HJpbIlugfUF8= > > -SIZE (djvulibre-3.5.27.tar.gz) = 3648522 > > +SHA256 (djvulibre-3.5.28.tar.gz) = > > /NAJ6nZU/eWoNgDrgHV706dpmOR9E8ZrVMjbhJ+PLtw= > > +SIZE (djvulibre-3.5.28.tar.gz) = 3701161 > > Index: graphics/djvulibre/patches/patch-configure_ac > > =================================================================== > > RCS file: /cvs/ports/graphics/djvulibre/patches/patch-configure_ac,v > > retrieving revision 1.2 > > diff -u -p -r1.2 patch-configure_ac > > --- graphics/djvulibre/patches/patch-configure_ac 12 May 2015 16:10:27 > > -0000 1.2 > > +++ graphics/djvulibre/patches/patch-configure_ac 16 Sep 2021 21:01:47 > > -0000 > > @@ -1,7 +1,8 @@ > > $OpenBSD: patch-configure_ac,v 1.2 2015/05/12 16:10:27 shadchin Exp $ > > ---- configure.ac.orig Sun Mar 29 10:30:55 2015 > > -+++ configure.ac Sun Mar 29 10:31:17 2015 > > -@@ -129,7 +129,6 @@ RM="$RM -f" > > +Index: configure.ac > > +--- configure.ac.orig > > ++++ configure.ac > > +@@ -131,7 +131,6 @@ RM="$RM -f" > > # Libtool & Compilers > > AC_PROG_CC > > AC_PROG_CXX > > Index: graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-libdjvu_DataPool_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,18 @@ > > +$OpenBSD$ > > + > > +Fix CVE-2021-32492: Out-of-Bounds Read > > +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 > > + > > +Index: libdjvu/DataPool.cpp > > +--- libdjvu/DataPool.cpp.orig > > ++++ libdjvu/DataPool.cpp > > +@@ -791,6 +791,9 @@ DataPool::create(const GP<DataPool> & pool, int start, > > + DEBUG_MSG("DataPool::DataPool: pool=" << (void *)((DataPool *)pool) << > > " start=" << start << " length= " << length << "\n"); > > + DEBUG_MAKE_INDENT(3); > > + > > ++ if (!pool) > > ++ G_THROW( ERR_MSG("DataPool.zero_DataPool") ); > > ++ > > + DataPool *xpool=new DataPool(); > > + GP<DataPool> retval=xpool; > > + xpool->init(); > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp > > --- graphics/djvulibre/patches/patch-libdjvu_DjVmDir_cpp 2 Mar 2016 > > 20:10:36 -0000 1.1 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,94 +0,0 @@ > > -$OpenBSD: patch-libdjvu_DjVmDir_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $ > > - > > -"accept documents with duplicate page titles" > > - > > -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ > > -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 > > - > > ---- libdjvu/DjVmDir.cpp.orig Tue Jul 8 23:15:07 2014 > > -+++ libdjvu/DjVmDir.cpp Wed Feb 3 01:51:28 2016 > > -@@ -223,7 +223,6 @@ DjVmDir::decode(const GP<ByteStream> &gstr) > > - page2file.resize(-1); > > - name2file.empty(); > > - id2file.empty(); > > -- title2file.empty(); > > - > > - int ver=str.read8(); > > - bool bundled=(ver & 0x80)!=0; > > -@@ -375,18 +374,6 @@ DjVmDir::decode(const GP<ByteStream> &gstr) > > - G_THROW( ERR_MSG("DjVmDir.dupl_id") "\t" + file->id); > > - id2file[file->id]=file; > > - } > > -- > > -- // Generate title2file map > > -- for(pos=files_list;pos;++pos) > > -- { > > -- GP<File> file=files_list[pos]; > > -- if (file->title.length()) > > -- { > > -- if (title2file.contains(file->title)) > > -- G_THROW( ERR_MSG("DjVmDir.dupl_title") "\t" + file->title); > > -- title2file[file->title]=file; > > -- } > > -- } > > - } > > - } > > - > > -@@ -556,11 +543,19 @@ DjVmDir::id_to_file(const GUTF8String &id) const > > - } > > - > > - GP<DjVmDir::File> > > --DjVmDir::title_to_file(const GUTF8String &title) const > > -+DjVmDir::title_to_file(const GUTF8String &title, GPosition spos) const > > - { > > -- GCriticalSectionLock lock((GCriticalSection *) &class_lock); > > -- GPosition pos; > > -- return (title2file.contains(title, > > pos))?title2file[pos]:(GP<DjVmDir::File>(0)); > > -+ if (! title) > > -+ return 0; > > -+ GCriticalSectionLock lock((GCriticalSection *) &class_lock); > > -+ if (! spos) > > -+ for (GPosition pos = spos; pos; ++pos) > > -+ if (files_list[pos]->is_page() && files_list[pos]->title == title) > > -+ return files_list[pos]; > > -+ for (GPosition pos = files_list; pos; ++pos) > > -+ if (files_list[pos]->is_page() && files_list[pos]->title == title) > > -+ return files_list[pos]; > > -+ return 0; > > - } > > - > > - GP<DjVmDir::File> > > -@@ -661,14 +656,7 @@ DjVmDir::insert_file(const GP<File> & file, int pos_nu > > - G_THROW( ERR_MSG("DjVmDir.dupl_name2") "\t" + file->name); > > - name2file[file->name]=file; > > - id2file[file->id]=file; > > -- if (file->title.length()) > > -- { > > -- if (title2file.contains(file->title)) > > -- // duplicate titles may become ok some day > > -- G_THROW( ERR_MSG("DjVmDir.dupl_title2") "\t" + file->title); > > -- title2file[file->title]=file; > > -- } > > -- > > -+ > > - // Make sure that there is no more than one file with shared > > annotations > > - if (file->is_shared_anno()) > > - { > > -@@ -727,7 +715,6 @@ DjVmDir::delete_file(const GUTF8String &id) > > - { > > - name2file.del(f->name); > > - id2file.del(f->id); > > -- title2file.del(f->title); > > - if (f->is_page()) > > - { > > - for(int page=0;page<page2file.size();page++) > > -@@ -788,9 +775,7 @@ DjVmDir::set_file_title(const GUTF8String &id, const G > > - if (!id2file.contains(id, pos)) > > - G_THROW( ERR_MSG("DjVmDir.no_info") "\t" + GUTF8String(id)); > > - GP<File> file=id2file[pos]; > > -- title2file.del(file->title); > > - file->title=title; > > -- title2file[title]=file; > > - } > > - > > - GPList<DjVmDir::File> > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h > > --- graphics/djvulibre/patches/patch-libdjvu_DjVmDir_h 2 Mar 2016 > > 20:10:36 -0000 1.1 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,41 +0,0 @@ > > -$OpenBSD: patch-libdjvu_DjVmDir_h,v 1.1 2016/03/02 20:10:36 juanfra Exp $ > > - > > -"accept documents with duplicate page titles" > > - > > -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ > > -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 > > - > > ---- libdjvu/DjVmDir.h.orig Tue Jul 8 23:15:07 2014 > > -+++ libdjvu/DjVmDir.h Wed Feb 3 01:51:28 2016 > > -@@ -181,7 +181,8 @@ class DJVUAPI DjVmDir : public GPEnabled (public) > > - /** Translates file IDs to file records. */ > > - GP<File> id_to_file(const GUTF8String &id) const; > > - /** Translates file shortcuts to file records. */ > > -- GP<File> title_to_file(const GUTF8String &title) const; > > -+ GP<File> title_to_file(const GUTF8String &title, GPosition spos) const; > > -+ GP<File> title_to_file(const GUTF8String &title) const; > > - /** Access file record by position. */ > > - GP<File> pos_to_file(int fileno, int *ppageno=0) const; > > - /** Returns position of the file in the directory. */ > > -@@ -216,7 +217,6 @@ class DJVUAPI DjVmDir : public GPEnabled (public) > > - GPArray<File> page2file; > > - GPMap<GUTF8String, File> name2file; > > - GPMap<GUTF8String, File> id2file; > > -- GPMap<GUTF8String, File> title2file; > > - private: //dummy stuff > > - static void decode(ByteStream *); > > - static void encode(ByteStream *); > > -@@ -438,6 +438,13 @@ DjVmDir::is_indirect(void) const > > - GCriticalSectionLock lock((GCriticalSection *) &class_lock); > > - return ( files_list.size() && files_list[files_list] != 0 && > > - files_list[files_list]->offset==0 ); > > -+} > > -+ > > -+inline GP<DjVmDir::File> > > -+DjVmDir::title_to_file(const GUTF8String &title) const > > -+{ > > -+ GPosition pos; > > -+ return title_to_file(title, pos); > > - } > > - > > - > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp > > --- graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_cpp 2 Mar > > 2016 20:10:36 -0000 1.1 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,37 +0,0 @@ > > -$OpenBSD: patch-libdjvu_DjVuDocument_cpp,v 1.1 2016/03/02 20:10:36 juanfra > > Exp $ > > - > > -"accept documents with duplicate page titles" > > - > > -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ > > -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 > > - > > ---- libdjvu/DjVuDocument.cpp.orig Mon Sep 22 00:06:03 2014 > > -+++ libdjvu/DjVuDocument.cpp Wed Feb 3 01:51:28 2016 > > -@@ -805,11 +805,9 @@ DjVuDocument::id_to_url(const GUTF8String & id) const > > - { > > - GP<DjVmDir::File> file=djvm_dir->id_to_file(id); > > - if (!file) > > -- { > > - file=djvm_dir->name_to_file(id); > > -- if (!file) > > -- file=djvm_dir->title_to_file(id); > > -- } > > -+ if (!file) > > -+ file=djvm_dir->title_to_file(id); > > - if (file) > > - return GURL::UTF8(file->get_load_name(),init_url); > > - } > > -@@ -819,11 +817,9 @@ DjVuDocument::id_to_url(const GUTF8String & id) const > > - { > > - GP<DjVmDir::File> file=djvm_dir->id_to_file(id); > > - if (!file) > > -- { > > - file=djvm_dir->name_to_file(id); > > -- if (!file) > > -- file=djvm_dir->title_to_file(id); > > -- } > > -+ if (!file) > > -+ file=djvm_dir->title_to_file(id); > > - if (file) > > - return GURL::UTF8(file->get_load_name(),init_url.base()); > > - } > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h > > --- graphics/djvulibre/patches/patch-libdjvu_DjVuDocument_h 2 Mar 2016 > > 20:10:36 -0000 1.1 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,17 +0,0 @@ > > -$OpenBSD: patch-libdjvu_DjVuDocument_h,v 1.1 2016/03/02 20:10:36 juanfra > > Exp $ > > - > > -"accept documents with duplicate page titles" > > - > > -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ > > -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 > > - > > ---- libdjvu/DjVuDocument.h.orig Tue Jul 8 23:15:07 2014 > > -+++ libdjvu/DjVuDocument.h Wed Feb 3 01:51:28 2016 > > -@@ -524,7 +524,6 @@ class DJVUAPI DjVuDocument : public DjVuPort (public) > > - \begin{enumerate} > > - \item File ID from the \Ref{DjVmDir} > > - \item File name from the \Ref{DjVmDir} > > -- \item File title from the \Ref{DjVmDir} > > - \end{enumerate} > > - Then for #BUNDLED# document the URL is obtained by > > - appending the #name# of the found file to the document's > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-libdjvu_DjVuFile_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,16 @@ > > +$OpenBSD$ > > + > > +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 > > + > > +Index: libdjvu/DjVuFile.cpp > > +--- libdjvu/DjVuFile.cpp.orig > > ++++ libdjvu/DjVuFile.cpp > > +@@ -576,6 +576,8 @@ DjVuFile::process_incl_chunk(ByteStream & str, int fil > > + GURL incl_url=pcaster->id_to_url(this, incl_str); > > + if (incl_url.is_empty()) // Fallback. Should never be used. > > + incl_url=GURL::UTF8(incl_str,url.base()); > > ++ if (incl_url == url) // Infinite loop avoidance > > ++ G_THROW( ERR_MSG("DjVuFile.malformed") ); > > + > > + // Now see if there is already a file with this *name* created > > + { > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h > > --- graphics/djvulibre/patches/patch-libdjvu_DjVuMessageLite_h 2 Mar > > 2016 20:10:36 -0000 1.1 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,20 +0,0 @@ > > -$OpenBSD: patch-libdjvu_DjVuMessageLite_h,v 1.1 2016/03/02 20:10:36 > > juanfra Exp $ > > - > > -"accept documents with duplicate page titles" > > - > > -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ > > -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 > > - > > ---- libdjvu/DjVuMessageLite.h.orig Tue Jul 8 23:15:07 2014 > > -+++ libdjvu/DjVuMessageLite.h Wed Feb 3 01:51:28 2016 > > -@@ -89,8 +89,8 @@ class ByteStream; > > - separator ::= newline | > > - newline | separator > > - > > -- single_message ::= message_ID | > > -- message_ID parameters > > -+ single_message ::= CTRLC message_ID | > > -+ CTRLC message_ID parameters > > - > > - parameters ::= tab string | > > - tab string parameters > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp > > =================================================================== > > RCS file: > > /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp,v > > retrieving revision 1.1 > > diff -u -p -r1.1 patch-libdjvu_DjVuPalette_cpp > > --- graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp 20 Apr > > 2017 01:40:33 -0000 1.1 > > +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPalette_cpp 16 Sep > > 2021 21:01:47 -0000 > > @@ -1,11 +1,12 @@ > > $OpenBSD: patch-libdjvu_DjVuPalette_cpp,v 1.1 2017/04/20 01:40:33 espie > > Exp $ > > ---- libdjvu/DjVuPalette.cpp.orig Thu Apr 20 03:30:12 2017 > > -+++ libdjvu/DjVuPalette.cpp Thu Apr 20 03:38:11 2017 > > -@@ -98,6 +98,7 @@ inline unsigned char > > +Index: libdjvu/DjVuPalette.cpp > > +--- libdjvu/DjVuPalette.cpp.orig > > ++++ libdjvu/DjVuPalette.cpp > > +@@ -99,6 +99,7 @@ inline unsigned char > > umin(unsigned char a, unsigned char b) > > { return (a>b) ? b : a; } > > > > +#define fmin myfmin > > inline float > > - fmin(float a, float b) > > + fmin(float a, float b) > > { return (a>b) ? b : a; } > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPort_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,28 @@ > > +$OpenBSD$ > > + > > +Fix CVE-2021-3500: Stack-Based Buffer Overflow > > +https://bugzilla.redhat.com/show_bug.cgi?id=1943411 > > + > > +Index: libdjvu/DjVuPort.cpp > > +--- libdjvu/DjVuPort.cpp.orig > > ++++ libdjvu/DjVuPort.cpp > > +@@ -507,10 +507,19 @@ GP<DjVuFile> > > + DjVuPortcaster::id_to_file(const DjVuPort * source, const GUTF8String &id) > > + { > > + GPList<DjVuPort> list; > > ++ > > ++ if (!!opening_id && opening_id == id) > > ++ G_THROW( ERR_MSG("DjVuPortcaster.recursive_open") ); > > ++ else > > ++ opening_id = id; > > ++ > > + compute_closure(source, list, true); > > + GP<DjVuFile> file; > > + for(GPosition pos=list;pos;++pos) > > + if ((file=list[pos]->id_to_file(source, id))) break; > > ++ > > ++ opening_id = GUTF8String(); > > ++ > > + return file; > > + } > > + > > Index: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h > > diff -N graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-libdjvu_DjVuPort_h 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,16 @@ > > +$OpenBSD$ > > + > > +Fix CVE-2021-3500: Stack-Based Buffer Overflow > > +https://bugzilla.redhat.com/show_bug.cgi?id=1943411 > > + > > +Index: libdjvu/DjVuPort.h > > +--- libdjvu/DjVuPort.h.orig > > ++++ libdjvu/DjVuPort.h > > +@@ -484,6 +484,7 @@ class DJVUAPI DjVuPortcaster (private) > > + const DjVuPort *dst, int distance); > > + void compute_closure(const DjVuPort *src, GPList<DjVuPort> &list, > > + bool sorted=false); > > ++ GUTF8String opening_id; > > + }; > > + > > + > > Index: graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-libdjvu_GBitmap_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,17 @@ > > +$OpenBSD$ > > + > > +Fix CVE-2021-32493: Integer Overflow Leading to Heap Buffer Overflow > > +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 > > + > > +Index: libdjvu/GBitmap.cpp > > +--- libdjvu/GBitmap.cpp.orig > > ++++ libdjvu/GBitmap.cpp > > +@@ -1284,6 +1284,8 @@ GBitmap::decode(unsigned char *runs) > > + // initialize pixel array > > + if (nrows==0 || ncolumns==0) > > + G_THROW( ERR_MSG("GBitmap.not_init") ); > > ++ if (ncolumns + border != (unsigned short)(ncolumns+border)) > > ++ G_THROW("GBitmap: image size exceeds maximum (corrupted file?)"); > > + bytes_per_row = ncolumns + border; > > + if (runs==0) > > + G_THROW( ERR_MSG("GBitmap.null_arg") ); > > Index: graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp > > diff -N graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-libdjvu_IW44Image_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,22 @@ > > +$OpenBSD$ > > + > > +Fix CVE-2021-32490: out of bounds write > > +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 > > + > > +Index: libdjvu/IW44Image.cpp > > +--- libdjvu/IW44Image.cpp.orig > > ++++ libdjvu/IW44Image.cpp > > +@@ -676,9 +676,13 @@ IW44Image::Map::image(signed char *img8, int rowsize, > > + // Allocate reconstruction buffer > > + short *data16; > > + size_t sz = bw * bh; > > ++ if (sz == 0) > > ++ G_THROW("IW44Image: image size is zero (corrupted file?)"); > > + if (sz / (size_t)bw != (size_t)bh) // multiplication overflow > > + G_THROW("IW44Image: image size exceeds maximum (corrupted file?)"); > > + GPBuffer<short> gdata16(data16,sz); > > ++ if (data16 == 0) > > ++ G_THROW("IW44Image: unable to allocate image buffer"); > > + // Copy coefficients > > + int i; > > + short *p = data16; > > Index: graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp > > =================================================================== > > RCS file: /cvs/ports/graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp,v > > retrieving revision 1.2 > > diff -u -p -r1.2 patch-libdjvu_miniexp_cpp > > --- graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp 12 May 2015 > > 16:10:27 -0000 1.2 > > +++ graphics/djvulibre/patches/patch-libdjvu_miniexp_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -1,7 +1,8 @@ > > $OpenBSD: patch-libdjvu_miniexp_cpp,v 1.2 2015/05/12 16:10:27 shadchin Exp > > $ > > ---- libdjvu/miniexp.cpp.orig Wed Feb 11 09:35:37 2015 > > -+++ libdjvu/miniexp.cpp Sat Mar 28 21:24:09 2015 > > -@@ -1241,7 +1241,7 @@ static int stdio_fputs(miniexp_io_t *io, const char > > *s > > +Index: libdjvu/miniexp.cpp > > +--- libdjvu/miniexp.cpp.orig > > ++++ libdjvu/miniexp.cpp > > +@@ -1300,7 +1300,7 @@ static int stdio_fputs(miniexp_io_t *io, const char > > *s > > > > static int true_stdio_fgetc(miniexp_io_t *io) { > > FILE *f = (io->data[0]) ? (FILE*)(io->data[0]) : stdin; > > Index: graphics/djvulibre/patches/patch-tools_ddjvu_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-tools_ddjvu_cpp > > diff -N graphics/djvulibre/patches/patch-tools_ddjvu_cpp > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ graphics/djvulibre/patches/patch-tools_ddjvu_cpp 16 Sep 2021 > > 21:01:47 -0000 > > @@ -0,0 +1,22 @@ > > +$OpenBSD$ > > + > > +Fix CVE-2021-32491: Integer Overflow Leading to Heap-Based Buffer Overflow > > +https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6 > > + > > +Index: tools/ddjvu.cpp > > +--- tools/ddjvu.cpp.orig > > ++++ tools/ddjvu.cpp > > +@@ -393,8 +393,11 @@ render(ddjvu_page_t *page, int pageno) > > + } else if (style == DDJVU_FORMAT_GREY8) > > + rowsize = rrect.w; > > + else > > +- rowsize = rrect.w * 3; > > +- if (! (image = (char*)malloc(rowsize * rrect.h))) > > ++ rowsize = rrect.w * 3; > > ++ size_t bufsize = (size_t)rowsize * rrect.h; > > ++ if (bufsize / rowsize != rrect.h) > > ++ die(i18n("Integer overflow when allocating image buffer for page > > %d"), pageno); > > ++ if (! (image = (char*)malloc(bufsize))) > > + die(i18n("Cannot allocate image buffer for page %d"), pageno); > > + > > + /* Render */ > > Index: graphics/djvulibre/patches/patch-tools_djvused_cpp > > =================================================================== > > RCS file: graphics/djvulibre/patches/patch-tools_djvused_cpp > > diff -N graphics/djvulibre/patches/patch-tools_djvused_cpp > > --- graphics/djvulibre/patches/patch-tools_djvused_cpp 2 Mar 2016 > > 20:10:36 -0000 1.1 > > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > > @@ -1,27 +0,0 @@ > > -$OpenBSD: patch-tools_djvused_cpp,v 1.1 2016/03/02 20:10:36 juanfra Exp $ > > - > > -"accept documents with duplicate page titles" > > - > > -http://sourceforge.net/p/djvu/djvulibre-git/ci/77a4dca8dd3acd0acc1680fa14a352c11084e25d/ > > -https://bitbucket.org/jwilk/pdf2djvu/issues/113/duplicate-page-title-1 > > - > > ---- tools/djvused.cpp.orig Sun Feb 8 20:39:42 2015 > > -+++ tools/djvused.cpp Wed Feb 3 01:51:28 2016 > > -@@ -66,6 +66,7 @@ > > - #include "GString.h" > > - #include "DjVuDocEditor.h" > > - #include "DjVuDumpHelper.h" > > -+#include "DjVuMessageLite.h" > > - #include "BSByteStream.h" > > - #include "DjVuText.h" > > - #include "DjVuAnno.h" > > -@@ -2315,7 +2316,8 @@ execute() > > - G_CATCH(ex) > > - { > > - vprint("Error (%s): %s", > > -- (const char*)ToNative(token), ex.get_cause()); > > -+ (const char*)ToNative(token), > > -+ (const char > > *)DjVuMessageLite::LookUpUTF8(ex.get_cause())); > > - if (! verbose) > > - G_RETHROW; > > - } > > Index: graphics/djvulibre/pkg/PLIST > > =================================================================== > > RCS file: /cvs/ports/graphics/djvulibre/pkg/PLIST,v > > retrieving revision 1.10 > > diff -u -p -r1.10 PLIST > > --- graphics/djvulibre/pkg/PLIST 1 Jul 2018 18:33:36 -0000 1.10 > > +++ graphics/djvulibre/pkg/PLIST 16 Sep 2021 21:01:47 -0000 > > @@ -22,7 +22,7 @@ > > include/libdjvu/ > > include/libdjvu/ddjvuapi.h > > include/libdjvu/miniexp.h > > -lib/libdjvulibre.a > > +@static-lib lib/libdjvulibre.a > > lib/libdjvulibre.la > > @lib lib/libdjvulibre.so.${LIBdjvulibre_VERSION} > > lib/pkgconfig/ddjvuapi.pc > > @@ -72,20 +72,19 @@ share/djvu/pubtext/ > > share/djvu/pubtext/DjVuMessages.dtd > > share/djvu/pubtext/DjVuOCR.dtd > > share/djvu/pubtext/DjVuXML-s.dtd > > -share/icons/hicolor/128x128/mimetypes/djvu.png > > -share/icons/hicolor/16x16/mimetypes/djvu.png > > +share/icons/hicolor/128x128/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/16x16/mimetypes/image-vnd.djvu.png > > share/icons/hicolor/20x20/ > > share/icons/hicolor/20x20/mimetypes/ > > -share/icons/hicolor/20x20/mimetypes/djvu.png > > -share/icons/hicolor/22x22/mimetypes/djvu.png > > -share/icons/hicolor/24x24/mimetypes/djvu.png > > -share/icons/hicolor/256x256/mimetypes/djvu.png > > -share/icons/hicolor/32x32/mimetypes/djvu.png > > -share/icons/hicolor/48x48/mimetypes/djvu.png > > -share/icons/hicolor/64x64/mimetypes/djvu.png > > -share/icons/hicolor/72x72/mimetypes/djvu.png > > -share/icons/hicolor/96x96/mimetypes/djvu.png > > -share/icons/hicolor/scalable/mimetypes/djvu.svgz > > -share/mime/packages/djvulibre-mime.xml > > @tag gtk-update-icon-cache %D/share/icons/hicolor > > @tag update-mime-database > > +share/icons/hicolor/20x20/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/22x22/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/24x24/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/256x256/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/32x32/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/48x48/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/64x64/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/72x72/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/96x96/mimetypes/image-vnd.djvu.png > > +share/icons/hicolor/scalable/mimetypes/image-vnd.djvu.svgz > > >
