Fix CVE-2019-11459

(cherry picked from commit c2eb6d26c30ef91fb4fd6564a0e05bfb53d7e965)
2022-02-26 18:24:49 +08:00 · 2022-02-26 18:24:49 +08:00 · 298a81dbce
commit 298a81dbce
parent 3e20cf1d7d
2 changed files with 77 additions and 1 deletions
--- a/CVE-2019-11459.patch
+++ b/CVE-2019-11459.patch
@ -0,0 +1,72 @@
 From 234f034a4d15cd46dd556f4945f99fbd57ef5f15 Mon Sep 17 00:00:00 2001
 From: Jason Crain <jcrain@src.gnome.org>
 Date: Mon, 15 Apr 2019 23:06:36 -0600
 Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented
 The TIFFReadRGBAImageOriented function returns zero if it was unable to
 read the image. Return NULL in this case instead of displaying
 uninitialized memory.
 Fixes #1129
 ---
 backend/tiff/tiff-document.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)
 diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
 index 7715031b9..38bb3bd8f 100644
 --- a/backend/tiff/tiff-document.c
 +++ b/backend/tiff/tiff-document.c
@@ -292,18 +292,22 @@ tiff_document_render (EvDocument      *document,
 		g_warning("Failed to allocate memory for rendering.");
 		return NULL;
 	}
 -	
 +
 +	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
 +					width, height,
 +					(uint32 *)pixels,
 +					orientation, 0)) {
 +		g_warning ("Failed to read TIFF image.");
 +		g_free (pixels);
 +		return NULL;
 +	}
 +
 	surface = cairo_image_surface_create_for_data (pixels,
 						       CAIRO_FORMAT_RGB24,
 						       width, height,
 						       rowstride);
 	cairo_surface_set_user_data (surface, &key,
 				     pixels, (cairo_destroy_func_t)g_free);
 -
 -	TIFFReadRGBAImageOriented (tiff_document->tiff,
 -				   width, height,
 -				   (uint32 *)pixels,
 -				   orientation, 0);
 	pop_handlers ();
 	/* Convert the format returned by libtiff to
@@ -384,13 +388,17 @@ tiff_document_get_thumbnail (EvDocument      *document,
 	if (!pixels)
 		return NULL;
 +	if (!TIFFReadRGBAImageOriented (tiff_document->tiff,
 +					width, height,
 +					(uint32 *)pixels,
 +					ORIENTATION_TOPLEFT, 0)) {
 +		g_free (pixels);
 +		return NULL;
 +	}
 +
 	pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, 
 					   width, height, rowstride,
 					   (GdkPixbufDestroyNotify) g_free, NULL);
 -	TIFFReadRGBAImageOriented (tiff_document->tiff,
 -				   width, height,
 -				   (uint32 *)pixels,
 -				   ORIENTATION_TOPLEFT, 0);
 	pop_handlers ();
 	ev_render_context_compute_scaled_size (rc, width, height * (x_res / y_res),
 -- 
 GitLab
--- a/evince.spec
+++ b/evince.spec
@ -1,12 +1,13 @@
 Name:           evince
 Version:        3.30.1
-Release:        3
+Release:        4
 Summary:        Document viewer for multiple document formats
 License:        GPLv2+ and GPLv3+ and LGPLv2+ and MIT and Afmparse
 URL:            https://wiki.gnome.org/Apps/Evince
 Source0:        https://download.gnome.org/sources/%{name}/3.30/%{name}-%{version}.tar.xz
 Patch0:         evince-3.21.4-NPNVToolKit.patch
 Patch1:         0001-Resolves-deb-762530-rhbz-1061177-add-man-pages.patch
 Patch2:         CVE-2019-11459.patch
 BuildRequires:  pkgconfig(gio-unix-2.0) >= 2.36.0 pkgconfig(gtk+-x11-3.0) >= 3.16.0 pkgconfig(gnome-desktop-3.0)
 BuildRequires:  pkgconfig(poppler-glib) >= 0.24.0 pkgconfig(libgxps) >= 0.2.1       pkgconfig(gobject-introspection-1.0)
@ -102,5 +103,8 @@ desktop-file-validate $RPM_BUILD_ROOT%{_datadir}/applications/org.gnome.Evince-p
 %changelog
 * Sat Feb 26 2022 yaoxin <yaoxin30@huawei.com> - 3.30.1-4
 - Fix CVE-2019-11459
 * Mon Dec 2 2019 chenzhenyu <chenzhenyu13@huawei.com> - 3.30.1-3
 - Package init