!34 [sync] PR-31: Fix CVE-2022-34503

From: @openeuler-sync-bot 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2021-25786.patch

@@ -0,0 +1,85 @@
+From 74e00158f5da252b7f8e75e33dd9393f3ac6d3ef Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 21 Aug 2023 11:02:15 +0800
+Subject: [PATCH 1/1] Fix some pipelines to be safe if downstream write fails (fuzz
+ issue 28262)
+
+Origin:
+https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5
+---
+ libqpdf/Pl_AES_PDF.cc         | 2 +-
+ libqpdf/Pl_ASCII85Decoder.cc  | 7 +++++--
+ libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
+ libqpdf/Pl_Count.cc           | 2 +-
+ 4 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
+index 5c493cb..64c9f15 100644
+--- a/libqpdf/Pl_AES_PDF.cc
++++ b/libqpdf/Pl_AES_PDF.cc
+@@ -260,6 +260,6 @@ Pl_AES_PDF::flush(bool strip_padding)
+ 	    }
+ 	}
+     }
+-    getNext()->write(this->outbuf, bytes);
+     this->offset = 0;
++    getNext()->write(this->outbuf, bytes);
+ }
+diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
+index 3a3b57b..4c888ee 100644
+--- a/libqpdf/Pl_ASCII85Decoder.cc
++++ b/libqpdf/Pl_ASCII85Decoder.cc
+@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
+ 
+     QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
+ 	    (this->pos == 5) ? 0 : 1);
+-    getNext()->write(outbuf, this->pos - 1);
+-
++    // Reset before calling getNext()->write in case that throws an
++    // exception.
++    auto t = this->pos - 1;
+     this->pos = 0;
+     memset(this->inbuf, 117, 5);
++
++    getNext()->write(outbuf, t);
+ }
+ 
+ void
+diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
+index d6acab2..6855a25 100644
+--- a/libqpdf/Pl_ASCIIHexDecoder.cc
++++ b/libqpdf/Pl_ASCIIHexDecoder.cc
+@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
+ 
+     QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
+ 	    (this->pos == 2) ? 0 : 1);
+-    getNext()->write(&ch, 1);
+-
++    // Reset before calling getNext()->write in case that throws an
++    // exception.
+     this->pos = 0;
+     this->inbuf[0] = '0';
+     this->inbuf[1] = '0';
+     this->inbuf[2] = '\0';
++
++    getNext()->write(&ch, 1);
+ }
+ 
+ void
+diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
+index c76a5e2..6dec58a 100644
+--- a/libqpdf/Pl_Count.cc
++++ b/libqpdf/Pl_Count.cc
+@@ -17,8 +17,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
+     if (len)
+     {
+ 	this->count += len;
+-	getNext()->write(buf, len);
+ 	this->last_char = buf[len - 1];
++	getNext()->write(buf, len);
+     }
+ }
+ 
+-- 
+2.30.0
+

CVE-2022-34503.patch

@@ -0,0 +1,33 @@
+From 674dafd5a778643f103fff4d5ff1b140db293a59 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 5 Aug 2024 17:05:58 +0800
+Subject: [PATCH 1/1] heap-buffer-overflow in QPDF::processXRefStream found by ASAN
+
+Origin: 
+https://github.com/qpdf/qpdf/issues/701
+https://bugzilla.suse.com/show_bug.cgi?id=1201830#c5
+---
+ libqpdf/QPDF.cc | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
+index c1e30e0..9313588 100644
+--- a/libqpdf/QPDF.cc
++++ b/libqpdf/QPDF.cc
+@@ -1014,6 +1014,13 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
+                           "Cross-reference stream's /W contains"
+                           " impossibly large values");
+         }
++        if (W[i] < 0)
++        {
++            throw QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(),
++                          "xref stream", xref_offset,
++                          "Cross-reference stream's /W contains"
++                          " negative values");
++        }
+ 	entry_size += W[i];
+     }
+     if (entry_size == 0)
+-- 
+2.33.0
+

qpdf.spec

@@ -1,15 +1,16 @@
 Name:           qpdf
 Version:        8.4.2
-Release:        2
+Release:        5
 Summary:        A command-line program to transform PDF files
 License:        (Artistic 2.0 or ASL 2.0) and MIT
 URL:            http://qpdf.sourceforge.net/
 Source0:        http://downloads.sourceforge.net/sourceforge/qpdf/qpdf-%{version}.tar.gz
 
 Patch0000:      qpdf-doc.patch
-%ifarch aarch64
 Patch0001:      qpdf-erase-tests-with-generated-object-stream.patch
-%endif
+# https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5
+Patch0002:      CVE-2021-25786.patch
+Patch0003:      CVE-2022-34503.patch
 
 BuildRequires:  gcc gcc-c++ zlib-devel libjpeg-turbo-devel pcre-devel
 BuildRequires:  perl-interpreter perl-generators perl(Digest::MD5)
@@ -42,8 +43,13 @@ Obsoletes:      %{name}-doc < %{version}-%{release}
 This package contains some man help and other files for %{name}.
 
 %prep
-%autosetup -p1 
-
+%setup 
+%patch0000 -p1 
+%patch0002 -p1
+%patch0003 -p1
+%ifarch aarch64
+%patch0001 -p1
+%endif
 sed -i '1c#!/usr/bin/perl' qpdf/fix-qdf
 
 %build
@@ -83,5 +89,17 @@ make check
 %{_mandir}/man1/*
 
 %changelog
-* Wed Dec 11 2019 catastrowings <jianghuhao1994@163.com> - 8.4.2-2
+* Mon Aug 05 2024 yaoxin <yao_xin001@hoperun.com> - 8.4.2-5
+- Fix CVE-2022-34503
+
+* Mon Aug 21 2023 yaoxin <yao_xin001@hoperun.com> - 8.4.2-4
+- Fix CVE-2021-25786
+
+* Tue Nov 29 2022 Ge Wang <wangge20@h-partners.com> - 8.4.2-3
+- fix missing patch when get src package from x86 architecture
+
+* Wed Dec 16 2019 catastrowings <jianghuhao1994@163.com> - 8.4.2-2
+- fix build fail
+
+* Wed Dec 11 2019 catastrowings <jianghuhao1994@163.com> - 8.2.1-2
 - openEuler init

qpdf.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: qpdf/qpdf
+tag_prefix: ^release-qpdf-
+seperator: .