aboutsummaryrefslogtreecommitdiffstats
path: root/community/djvulibre/djvulibre-3.5.27-unsigned-short-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'community/djvulibre/djvulibre-3.5.27-unsigned-short-overflow.patch')
-rw-r--r--community/djvulibre/djvulibre-3.5.27-unsigned-short-overflow.patch21
1 files changed, 21 insertions, 0 deletions
diff --git a/community/djvulibre/djvulibre-3.5.27-unsigned-short-overflow.patch b/community/djvulibre/djvulibre-3.5.27-unsigned-short-overflow.patch
new file mode 100644
index 00000000000..c7a6f3a78e6
--- /dev/null
+++ b/community/djvulibre/djvulibre-3.5.27-unsigned-short-overflow.patch
@@ -0,0 +1,21 @@
+diff --git a/libdjvu/GBitmap.cpp b/libdjvu/GBitmap.cpp
+index c2fdbe4..e271a1d 100644
+--- a/libdjvu/GBitmap.cpp
++++ b/libdjvu/GBitmap.cpp
+@@ -69,6 +69,7 @@
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+
+ // - Author: Leon Bottou, 05/1997
+
+@@ -1284,6 +1285,8 @@ GBitmap::decode(unsigned char *runs)
+ // initialize pixel array
+ if (nrows==0 || ncolumns==0)
+ G_THROW( ERR_MSG("GBitmap.not_init") );
++ if (ncolumns > USHRT_MAX - border)
++ G_THROW("GBitmap: row size exceeds maximum (corrupted file?)");
+ bytes_per_row = ncolumns + border;
+ if (runs==0)
+ G_THROW( ERR_MSG("GBitmap.null_arg") );
generated by cgit v1.2.3 (git 2.41.0) at 2024-04-23 17:10:15 +0000